Security update for mariadb

Announcement ID:	SUSE-SU-2019:0555-1
Rating:	important
References:	bsc#1013882 bsc#1101676 bsc#1101677 bsc#1101678 bsc#1103342 bsc#1111858 bsc#1111859 bsc#1112368 bsc#1112377 bsc#1112384 bsc#1112386 bsc#1112391 bsc#1112397 bsc#1112404 bsc#1112415 bsc#1112417 bsc#1112421 bsc#1112432 bsc#1112767 bsc#1116686 bsc#1118754 bsc#1120041 bsc#1122198 bsc#1122475 bsc#1127027
Cross-References:	CVE-2016-9843 CVE-2018-3058 CVE-2018-3060 CVE-2018-3063 CVE-2018-3064 CVE-2018-3066 CVE-2018-3143 CVE-2018-3156 CVE-2018-3162 CVE-2018-3173 CVE-2018-3174 CVE-2018-3185 CVE-2018-3200 CVE-2018-3251 CVE-2018-3277 CVE-2018-3282 CVE-2018-3284 CVE-2019-2510 CVE-2019-2537
CVSS scores:	CVE-2016-9843 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-9843 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-3058 ( SUSE ): 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE-2018-3058 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE-2018-3058 ( NVD ): 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE-2018-3060 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H CVE-2018-3060 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H CVE-2018-3063 ( SUSE ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-3063 ( NVD ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-3063 ( NVD ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-3064 ( SUSE ): 7.1 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2018-3064 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2018-3064 ( NVD ): 7.1 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2018-3066 ( SUSE ): 3.3 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N CVE-2018-3066 ( NVD ): 3.3 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N CVE-2018-3066 ( NVD ): 3.3 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N CVE-2018-3143 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-3143 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-3156 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-3156 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-3162 ( NVD ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-3162 ( NVD ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-3173 ( NVD ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-3173 ( NVD ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-3174 ( SUSE ): 5.3 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2018-3174 ( NVD ): 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2018-3174 ( NVD ): 5.3 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2018-3185 ( NVD ): 5.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H CVE-2018-3185 ( NVD ): 5.5 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H CVE-2018-3200 ( NVD ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-3200 ( NVD ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-3251 ( SUSE ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-3251 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-3251 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-3277 ( NVD ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-3277 ( NVD ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-3282 ( SUSE ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-3282 ( NVD ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-3282 ( NVD ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-3284 ( SUSE ): 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-3284 ( NVD ): 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2018-3284 ( NVD ): 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-2510 ( SUSE ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-2510 ( NVD ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-2510 ( NVD ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-2537 ( SUSE ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-2537 ( NVD ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-2537 ( NVD ): 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Affected Products:	Server Applications Module 15 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server for SAP Applications 15

An update that solves 19 vulnerabilities and has six security fixes can now be installed.

Description:

This update for mariadb to version 10.2.22 fixes the following issues:

Security issues fixed:

• CVE-2019-2510: Fixed a vulnerability which can lead to MySQL compromise and lead to Denial of Service (bsc#1122198).
• CVE-2019-2537: Fixed a vulnerability which can lead to MySQL compromise and lead to Denial of Service (bsc#1122198).
• CVE-2018-3284: Fixed InnoDB unspecified vulnerability (CPU Oct 2018) (bsc#1112377)
• CVE-2018-3282: Server Storage Engines unspecified vulnerability (CPU Oct 2018) (bsc#1112432)
• CVE-2018-3277: Fixed InnoDB unspecified vulnerability (CPU Oct 2018) (bsc#1112391)
• CVE-2018-3251: InnoDB unspecified vulnerability (CPU Oct 2018) (bsc#1112397)
• CVE-2018-3200: Fixed InnoDB unspecified vulnerability (CPU Oct 2018) (bsc#1112404)
• CVE-2018-3185: Fixed InnoDB unspecified vulnerability (CPU Oct 2018) (bsc#1112384)
• CVE-2018-3174: Client programs unspecified vulnerability (CPU Oct 2018) (bsc#1112368)
• CVE-2018-3173: Fixed InnoDB unspecified vulnerability (CPU Oct 2018) (bsc#1112386)
• CVE-2018-3162: Fixed InnoDB unspecified vulnerability (CPU Oct 2018) (bsc#1112415)
• CVE-2018-3156: InnoDB unspecified vulnerability (CPU Oct 2018) (bsc#1112417)
• CVE-2018-3143: InnoDB unspecified vulnerability (CPU Oct 2018) (bsc#1112421)
• CVE-2018-3066: Unspecified vulnerability in the MySQL Server component of Oracle MySQL (subcomponent Server Options). (bsc#1101678)
• CVE-2018-3064: InnoDB unspecified vulnerability (CPU Jul 2018) (bsc#1103342)
• CVE-2018-3063: Unspecified vulnerability in the MySQL Server component of Oracle MySQL (subcomponent Server Security Privileges). (bsc#1101677)
• CVE-2018-3058: Unspecified vulnerability in the MySQL Server component of Oracle MySQL (subcomponent MyISAM). (bsc#1101676)
• CVE-2016-9843: Big-endian out-of-bounds pointer (bsc#1013882)

Non-security issues fixed:

• Fixed an issue where mysl_install_db fails due to incorrect basedir (bsc#1127027).
• Fixed an issue where the lograte was not working (bsc#1112767).
• Backport Information Schema CHECK_CONSTRAINTS Table.
• Maximum value of table_definition_cache is now 2097152.
• InnoDB ALTER TABLE fixes.
• Galera crash recovery fixes.
• Encryption fixes.
• Remove xtrabackup dependency as MariaDB ships a build in mariabackup so xtrabackup is not needed (bsc#1122475).
• Maria DB testsuite - test main.plugin_auth failed (bsc#1111859)
• Maria DB testsuite - test encryption.second_plugin-12863 failed (bsc#1111858)
• Remove PerconaFT from the package as it has AGPL licence (bsc#1118754)
• remove PerconaFT from the package as it has AGPL licence (bsc#1118754)
• Database corruption after renaming a prefix-indexed column (bsc#1120041)

Release notes and changelog:

• https://mariadb.com/kb/en/library/mariadb-10222-release-notes
• https://mariadb.com/kb/en/library/mariadb-10222-changelog/

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Server Applications Module 15
  zypper in -t patch SUSE-SLE-Module-Server-Applications-15-2019-555=1

Package List:

• Server Applications Module 15 (aarch64 ppc64le s390x x86_64)
  • mariadb-client-10.2.22-3.14.1
  • libmysqld-devel-10.2.22-3.14.1
  • mariadb-tools-10.2.22-3.14.1
  • mariadb-client-debuginfo-10.2.22-3.14.1
  • mariadb-10.2.22-3.14.1
  • libmysqld19-10.2.22-3.14.1
  • mariadb-debugsource-10.2.22-3.14.1
  • mariadb-tools-debuginfo-10.2.22-3.14.1
  • libmysqld19-debuginfo-10.2.22-3.14.1
  • mariadb-debuginfo-10.2.22-3.14.1
• Server Applications Module 15 (noarch)
  • mariadb-errormessages-10.2.22-3.14.1

References:

• https://www.suse.com/security/cve/CVE-2016-9843.html
• https://www.suse.com/security/cve/CVE-2018-3058.html
• https://www.suse.com/security/cve/CVE-2018-3060.html
• https://www.suse.com/security/cve/CVE-2018-3063.html
• https://www.suse.com/security/cve/CVE-2018-3064.html
• https://www.suse.com/security/cve/CVE-2018-3066.html
• https://www.suse.com/security/cve/CVE-2018-3143.html
• https://www.suse.com/security/cve/CVE-2018-3156.html
• https://www.suse.com/security/cve/CVE-2018-3162.html
• https://www.suse.com/security/cve/CVE-2018-3173.html
• https://www.suse.com/security/cve/CVE-2018-3174.html
• https://www.suse.com/security/cve/CVE-2018-3185.html
• https://www.suse.com/security/cve/CVE-2018-3200.html
• https://www.suse.com/security/cve/CVE-2018-3251.html
• https://www.suse.com/security/cve/CVE-2018-3277.html
• https://www.suse.com/security/cve/CVE-2018-3282.html
• https://www.suse.com/security/cve/CVE-2018-3284.html
• https://www.suse.com/security/cve/CVE-2019-2510.html
• https://www.suse.com/security/cve/CVE-2019-2537.html
• https://bugzilla.suse.com/show_bug.cgi?id=1013882
• https://bugzilla.suse.com/show_bug.cgi?id=1101676
• https://bugzilla.suse.com/show_bug.cgi?id=1101677
• https://bugzilla.suse.com/show_bug.cgi?id=1101678
• https://bugzilla.suse.com/show_bug.cgi?id=1103342
• https://bugzilla.suse.com/show_bug.cgi?id=1111858
• https://bugzilla.suse.com/show_bug.cgi?id=1111859
• https://bugzilla.suse.com/show_bug.cgi?id=1112368
• https://bugzilla.suse.com/show_bug.cgi?id=1112377
• https://bugzilla.suse.com/show_bug.cgi?id=1112384
• https://bugzilla.suse.com/show_bug.cgi?id=1112386
• https://bugzilla.suse.com/show_bug.cgi?id=1112391
• https://bugzilla.suse.com/show_bug.cgi?id=1112397
• https://bugzilla.suse.com/show_bug.cgi?id=1112404
• https://bugzilla.suse.com/show_bug.cgi?id=1112415
• https://bugzilla.suse.com/show_bug.cgi?id=1112417
• https://bugzilla.suse.com/show_bug.cgi?id=1112421
• https://bugzilla.suse.com/show_bug.cgi?id=1112432
• https://bugzilla.suse.com/show_bug.cgi?id=1112767
• https://bugzilla.suse.com/show_bug.cgi?id=1116686
• https://bugzilla.suse.com/show_bug.cgi?id=1118754
• https://bugzilla.suse.com/show_bug.cgi?id=1120041
• https://bugzilla.suse.com/show_bug.cgi?id=1122198
• https://bugzilla.suse.com/show_bug.cgi?id=1122475
• https://bugzilla.suse.com/show_bug.cgi?id=1127027