Security update for mariadb

Announcement ID:	SUSE-SU-2019:2461-1
Rating:	moderate
References:	bsc#1127027 bsc#1132826 bsc#1141798 bsc#1142058 bsc#1143215
Cross-References:	CVE-2019-2614 CVE-2019-2627 CVE-2019-2737 CVE-2019-2739 CVE-2019-2740 CVE-2019-2805
CVSS scores:	CVE-2019-2614 ( SUSE ): 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-2614 ( NVD ): 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-2614 ( NVD ): 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-2627 ( SUSE ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-2627 ( NVD ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-2627 ( NVD ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-2737 ( NVD ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-2737 ( NVD ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-2739 ( NVD ): 5.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H CVE-2019-2739 ( NVD ): 5.1 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H CVE-2019-2740 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2019-2740 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2019-2805 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2019-2805 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2019-2805 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Products:	HPE Helion OpenStack 8 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise Server 12 SP3 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud Crowbar 8

An update that solves six vulnerabilities can now be installed.

Description:

This update for mariadb fixes the following issues:

Updated to MariaDB 10.0.40-1.

Security issues fixed:

• CVE-2019-2805, CVE-2019-2740, CVE-2019-2739, CVE-2019-2737, CVE-2019-2614, CVE-2019-2627. (bsc#1132826) (bsc#1141798).

Non-security issues fixed:

• Adjusted mysql-systemd-helper ("shutdown protected MySQL" section) so it checks both ping response and the pid in a process list as it can take some time till the process is terminated. Otherwise it can lead to "found left-over process" situation when regular mariadb is started. (bsc#1143215)
• Fixed IP resolving in mysql_install_db script. (bsc#1142058, bsc#1127027, MDEV-18526)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• HPE Helion OpenStack 8
  zypper in -t patch HPE-Helion-OpenStack-8-2019-2461=1
• SUSE OpenStack Cloud 8
  zypper in -t patch SUSE-OpenStack-Cloud-8-2019-2461=1
• SUSE OpenStack Cloud Crowbar 8
  zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2019-2461=1

Package List:

• HPE Helion OpenStack 8 (x86_64)
  • libmysqlclient18-10.0.40.1-29.32.1
  • libmysqlclient18-debuginfo-10.0.40.1-29.32.1
• SUSE OpenStack Cloud 8 (x86_64)
  • libmysqlclient18-10.0.40.1-29.32.1
  • libmysqlclient18-debuginfo-10.0.40.1-29.32.1
• SUSE OpenStack Cloud Crowbar 8 (x86_64)
  • libmysqlclient18-10.0.40.1-29.32.1
  • libmysqlclient18-debuginfo-10.0.40.1-29.32.1

References:

• https://www.suse.com/security/cve/CVE-2019-2614.html
• https://www.suse.com/security/cve/CVE-2019-2627.html
• https://www.suse.com/security/cve/CVE-2019-2737.html
• https://www.suse.com/security/cve/CVE-2019-2739.html
• https://www.suse.com/security/cve/CVE-2019-2740.html
• https://www.suse.com/security/cve/CVE-2019-2805.html
• https://bugzilla.suse.com/show_bug.cgi?id=1127027
• https://bugzilla.suse.com/show_bug.cgi?id=1132826
• https://bugzilla.suse.com/show_bug.cgi?id=1141798
• https://bugzilla.suse.com/show_bug.cgi?id=1142058
• https://bugzilla.suse.com/show_bug.cgi?id=1143215