Security update for mariadb SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:2698-1 Final 1 1 2019-12-22T05:12:51Z current 2019-12-22T05:12:51Z 2019-12-22T05:12:51Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for mariadb This update for mariadb to version 10.2.29 fixes the following issues: MariaDB was updated to 10.2.29 (bsc#1156669) Security issues fixed: - CVE-2019-2737: Fixed an issue where could lead a remote attacker to cause denial of service - CVE-2019-2938: Fixed an issue where could lead a remote attacker to cause denial of service - CVE-2019-2740: Fixed an issue where could lead a local attacker to cause denial of service - CVE-2019-2805: Fixed an issue where could lead a local attacker to cause denial of service - CVE-2019-2974: Fixed an issue where could lead a remote attacker to cause denial of service - CVE-2019-2758: Fixed an issue where could lead a local attacker to cause denial of service or data corruption - CVE-2019-2739: Fixed an issue where could lead a local attacker to cause denial of service or data corruption This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-2698 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2019-12/msg00037.html E-Mail link for openSUSE-SU-2019:2698-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1156669 SUSE Bug 1156669 https://www.suse.com/security/cve/CVE-2019-2737/ SUSE CVE CVE-2019-2737 page https://www.suse.com/security/cve/CVE-2019-2739/ SUSE CVE CVE-2019-2739 page https://www.suse.com/security/cve/CVE-2019-2740/ SUSE CVE CVE-2019-2740 page https://www.suse.com/security/cve/CVE-2019-2758/ SUSE CVE CVE-2019-2758 page https://www.suse.com/security/cve/CVE-2019-2805/ SUSE CVE CVE-2019-2805 page https://www.suse.com/security/cve/CVE-2019-2938/ SUSE CVE CVE-2019-2938 page https://www.suse.com/security/cve/CVE-2019-2974/ SUSE CVE CVE-2019-2974 page openSUSE Leap 15.1 libmysqld-devel-10.2.29-lp151.2.9.1 libmysqld19-10.2.29-lp151.2.9.1 mariadb-10.2.29-lp151.2.9.1 mariadb-bench-10.2.29-lp151.2.9.1 mariadb-client-10.2.29-lp151.2.9.1 mariadb-errormessages-10.2.29-lp151.2.9.1 mariadb-galera-10.2.29-lp151.2.9.1 mariadb-test-10.2.29-lp151.2.9.1 mariadb-tools-10.2.29-lp151.2.9.1 libmysqld-devel-10.2.29-lp151.2.9.1 as a component of openSUSE Leap 15.1 libmysqld19-10.2.29-lp151.2.9.1 as a component of openSUSE Leap 15.1 mariadb-10.2.29-lp151.2.9.1 as a component of openSUSE Leap 15.1 mariadb-bench-10.2.29-lp151.2.9.1 as a component of openSUSE Leap 15.1 mariadb-client-10.2.29-lp151.2.9.1 as a component of openSUSE Leap 15.1 mariadb-errormessages-10.2.29-lp151.2.9.1 as a component of openSUSE Leap 15.1 mariadb-galera-10.2.29-lp151.2.9.1 as a component of openSUSE Leap 15.1 mariadb-test-10.2.29-lp151.2.9.1 as a component of openSUSE Leap 15.1 mariadb-tools-10.2.29-lp151.2.9.1 as a component of openSUSE Leap 15.1 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Pluggable Auth). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2019-2737 openSUSE Leap 15.1:libmysqld-devel-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:libmysqld19-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-bench-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-client-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-errormessages-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-galera-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-test-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-tools-10.2.29-lp151.2.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-12/msg00037.html https://www.suse.com/security/cve/CVE-2019-2737.html CVE-2019-2737 https://bugzilla.suse.com/1132826 SUSE Bug 1132826 https://bugzilla.suse.com/1141798 SUSE Bug 1141798 https://bugzilla.suse.com/1156669 SUSE Bug 1156669 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). CVE-2019-2739 openSUSE Leap 15.1:libmysqld-devel-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:libmysqld19-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-bench-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-client-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-errormessages-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-galera-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-test-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-tools-10.2.29-lp151.2.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-12/msg00037.html https://www.suse.com/security/cve/CVE-2019-2739.html CVE-2019-2739 https://bugzilla.suse.com/1132826 SUSE Bug 1132826 https://bugzilla.suse.com/1141798 SUSE Bug 1141798 https://bugzilla.suse.com/1156669 SUSE Bug 1156669 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: XML). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). CVE-2019-2740 openSUSE Leap 15.1:libmysqld-devel-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:libmysqld19-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-bench-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-client-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-errormessages-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-galera-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-test-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-tools-10.2.29-lp151.2.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-12/msg00037.html https://www.suse.com/security/cve/CVE-2019-2740.html CVE-2019-2740 https://bugzilla.suse.com/1132826 SUSE Bug 1132826 https://bugzilla.suse.com/1141798 SUSE Bug 1141798 https://bugzilla.suse.com/1156669 SUSE Bug 1156669 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). CVE-2019-2758 openSUSE Leap 15.1:libmysqld-devel-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:libmysqld19-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-bench-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-client-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-errormessages-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-galera-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-test-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-tools-10.2.29-lp151.2.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-12/msg00037.html https://www.suse.com/security/cve/CVE-2019-2758.html CVE-2019-2758 https://bugzilla.suse.com/1141798 SUSE Bug 1141798 https://bugzilla.suse.com/1156669 SUSE Bug 1156669 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). CVE-2019-2805 openSUSE Leap 15.1:libmysqld-devel-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:libmysqld19-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-bench-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-client-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-errormessages-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-galera-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-test-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-tools-10.2.29-lp151.2.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-12/msg00037.html https://www.suse.com/security/cve/CVE-2019-2805.html CVE-2019-2805 https://bugzilla.suse.com/1132826 SUSE Bug 1132826 https://bugzilla.suse.com/1141798 SUSE Bug 1141798 https://bugzilla.suse.com/1156669 SUSE Bug 1156669 Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2019-2938 openSUSE Leap 15.1:libmysqld-devel-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:libmysqld19-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-bench-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-client-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-errormessages-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-galera-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-test-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-tools-10.2.29-lp151.2.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-12/msg00037.html https://www.suse.com/security/cve/CVE-2019-2938.html CVE-2019-2938 https://bugzilla.suse.com/1154162 SUSE Bug 1154162 https://bugzilla.suse.com/1156669 SUSE Bug 1156669 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). CVE-2019-2974 openSUSE Leap 15.1:libmysqld-devel-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:libmysqld19-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-bench-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-client-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-errormessages-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-galera-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-test-10.2.29-lp151.2.9.1 openSUSE Leap 15.1:mariadb-tools-10.2.29-lp151.2.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-12/msg00037.html https://www.suse.com/security/cve/CVE-2019-2974.html CVE-2019-2974 https://bugzilla.suse.com/1154162 SUSE Bug 1154162 https://bugzilla.suse.com/1156669 SUSE Bug 1156669