Bug 219045 - databases/mariadb101-server: Upgrade to latest version(v10.1.23) - current(v10.1.22) has critical vulnerabilities
Summary: databases/mariadb101-server: Upgrade to latest version(v10.1.23) - current(v1...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Bernard Spil
URL:
Keywords: needs-qa, patch, security
Depends on:
Blocks:
 
Reported: 2017-05-03 15:07 UTC by Dani I.
Modified: 2017-05-30 18:16 UTC (History)
2 users (show)

See Also:
brnrd: maintainer-feedback-


Attachments
Update mariadb101-server to 10.1.23 (2.43 KB, patch)
2017-05-03 16:06 UTC, Dani I.
no flags Details | Diff
Update mariadb101-client to 10.1.23 (10.48 KB, patch)
2017-05-03 16:08 UTC, Dani I.
no flags Details | Diff
Update mariadb101-client pkg-plist for 10.1.23 (406 bytes, patch)
2017-05-03 18:16 UTC, Dani I.
no flags Details | Diff
Building mariadb101-client from 2017Q2 branch (225.94 KB, text/plain)
2017-05-30 18:16 UTC, Michael Gmelin
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Dani I. 2017-05-03 15:07:42 UTC
The current version avilable for FreeBSD is vulnerable since 19.04.2017 and has now been patched upstream. There are very critical vulnerabilities in it.

See here: https://mariadb.com/kb/en/mariadb/mariadb-10123-release-notes/

Available port version: 10.1.22
Patched version: 10.1.23

Important Changes

Fixes for the following security vulnerabilities:
    CVE-2017-3302
    CVE-2017-3313
    CVE-2017-3308
    CVE-2017-3309
    CVE-2017-3453
    CVE-2017-3456
    CVE-2017-3464 

Fixes:
    MDEV-12602: Fixed some race conditions in InnoDB encryption
    MariaDB Backup alpha introduced
    Galera wsrep library updated to 25.3.20
    Packages for Ubuntu 17.04 "zesty" added
    As per the MariaDB Deprecation Policy, this will be the last release of MariaDB 10.1 for Ubuntu 12.04 LTS "Precise" and Mint 13 LTS "Maya" 

-> Full Changelog: https://mariadb.com/kb/en/mariadb-10123-changelog/
Comment 1 Dani I. 2017-05-03 16:06:56 UTC
Created attachment 182280 [details]
Update mariadb101-server to 10.1.23

Following changes to the port (see patch):
- Change Version @ Makefile
- Change Size & Checksum @ distinfo
- Fix broken "patch-CMakeLists.txt" Patch
- Add patch "patch-MDEV-12281" for DoS of MariaDB Server - See MariaDB Bug MDEV-12281
Comment 2 Dani I. 2017-05-03 16:08:50 UTC
Created attachment 182281 [details]
Update mariadb101-client to 10.1.23

Following changes to the port (see patch):
- Fix broken "patch-CMakeLists.txt" Patch
- Remove unneeded "patch-build-fail-MDEV-12261" patch. This has been patched upstream and is included in the latest version (10.1.23)
Comment 3 Dani I. 2017-05-03 18:16:54 UTC
Created attachment 182287 [details]
Update mariadb101-client pkg-plist for 10.1.23

Add missing pkg-plist files.
Comment 4 Bernard Spil freebsd_committer 2017-05-03 20:14:34 UTC
Thanks Dani,

Processing this before I get to the 5.5.56 update.
Need to run builds...
Comment 5 commit-hook freebsd_committer 2017-05-04 06:47:28 UTC
A commit references this bug:

Author: brnrd
Date: Thu May  4 06:46:27 UTC 2017
New revision: 440094
URL: https://svnweb.freebsd.org/changeset/ports/440094

Log:
  databases/mariadb101-server: Update to 10.1.23

   - Security and bugfix update to 10.1.23
   - Add upstream patch for InnoDB crash
   - Update CMakeLists.txt patch
   - Remove MDEV-12261 patch (included upstream)
   - Fix plist issues

  PR:             219045
  Submitted by:   Dani <i.dani@outlook.com>
  MFH:            2017Q2
  Security:       d9e01c35-2531-11e7-b291-b499baebfeaf

Changes:
  head/databases/mariadb101-client/files/patch-CMakeLists.txt
  head/databases/mariadb101-client/files/patch-build-fail-MDEV-12261
  head/databases/mariadb101-client/pkg-plist
  head/databases/mariadb101-server/Makefile
  head/databases/mariadb101-server/distinfo
  head/databases/mariadb101-server/files/patch-CMakeLists.txt
  head/databases/mariadb101-server/files/patch-MDEV-12281
  head/databases/mariadb101-server/pkg-plist
Comment 6 Bernard Spil freebsd_committer 2017-05-04 06:48:18 UTC
Set maintainer-feedback to - due to minor issues with the patches

1. For Master ports, PORTREVISION is ?= 0 (not removed)
2. Missing plist patch for -server
Comment 7 Dani I. 2017-05-05 07:32:21 UTC
(In reply to Bernard Spil from comment #6)
Hey brnd!
Thanks for the feedback. I realized to late that the plist for -server was missing. Really sorry about that! And thanks for the hint about the PORTREVISION - i didn't think about that. I'll try to be more precicse the next time. 

Anyway thanks for the fast update! Have a good weekend.
Comment 8 Bernard Spil freebsd_committer 2017-05-05 07:47:28 UTC
(In reply to Dani from comment #7)
Your effort is really appreciated Dani!

For maintainers it helps if you create a single `svn diff` for the changes from PORTSDIR. So in this case that'd be `cd /usr/ports ; svn diff databases/mariadb55-*`

If you want more hints, you can always try me (add to CC in PR).
Outdated but still contains relevant info
https://wiki.freebsd.org/BernardSpil/PortingWorkflow
Comment 9 cstdenis 2017-05-24 04:17:48 UTC
This update needs to be pushed to quarterly packages due to the security fixes.
Comment 10 commit-hook freebsd_committer 2017-05-28 09:16:25 UTC
A commit references this bug:

Author: brnrd
Date: Sun May 28 09:15:54 UTC 2017
New revision: 441904
URL: https://svnweb.freebsd.org/changeset/ports/441904

Log:
  MFH: r440094

  databases/mariadb101-server: Update to 10.1.23

   - Security and bugfix update to 10.1.23
   - Add upstream patch for InnoDB crash
   - Update CMakeLists.txt patch
   - Remove MDEV-12261 patch (included upstream)
   - Fix plist issues

  PR:             219045
  Submitted by:   Dani <i.dani@outlook.com>
  Security:       d9e01c35-2531-11e7-b291-b499baebfeaf

  Approved by:	ports-secteam (woodsb02)

Changes:
_U  branches/2017Q2/
  branches/2017Q2/databases/mariadb101-client/files/patch-CMakeLists.txt
  branches/2017Q2/databases/mariadb101-client/files/patch-build-fail-MDEV-12261
  branches/2017Q2/databases/mariadb101-client/pkg-plist
  branches/2017Q2/databases/mariadb101-server/Makefile
  branches/2017Q2/databases/mariadb101-server/distinfo
  branches/2017Q2/databases/mariadb101-server/files/patch-CMakeLists.txt
  branches/2017Q2/databases/mariadb101-server/files/patch-MDEV-12281
  branches/2017Q2/databases/mariadb101-server/pkg-plist
Comment 11 Dani I. 2017-05-29 05:59:27 UTC
(In reply to commit-hook from comment #10)

Hey guys,
you should also backport bug #219235 - else there is a chance your MariaDB won't run stable and will crash.
Comment 12 Michael Gmelin freebsd_committer 2017-05-29 16:15:35 UTC
Also, it seems like mariadb won't build with LibreSSL anymore (probably the usual version check problem), can you handle this as well, or should I open a new PR?


--CONFIGURE_ENV--
XDG_DATA_HOME=/wrkdirs/usr/ports/databases/mariadb101-client/work  XDG_CONFIG_HOME=/wrkdirs/usr/ports/databases/mariadb101-client/work  HOME=/wrkdirs/usr/ports/databases/mariadb101-client/work TMPDIR="/tmp" S...skipping...
FAILED: client/mysqlshow
: && /usr/bin/c++   -O2 -pipe -fstack-protector -fno-strict-aliasing -DWITH_INNODB_DISALLOW_WRITES -fno-exceptions -fno-rtti -O2 -pipe -fstack-protector -fno-strict-aliasing -DDBUG_OFF  -Wl,-rpath,/usr/local/lib -fstack-protector client/CMakeFiles/mysqlshow.dir/mysqlshow.c.o  -o client/mysqlshow  -Wl,-rpath,/usr/local/lib:  -pthread libmysql/libmysqlclient.a -pthread -lz -lm -lexecinfo /usr/local/lib/libssl.so /usr/local/lib/libcrypto.so && :
libmysql/libmysqlclient.a(client.c.o): In function `send_client_reply_packet':
/wrkdirs/usr/ports/databases/mariadb101-client/work/mariadb-10.1.23/sql-common/client.c:(.text+0x6721): undefined reference to `X509_check_host'
c++: error: linker command failed with exit code 1 (use -v to see invocation)
(more errors follow)
Comment 13 Bernard Spil freebsd_committer 2017-05-29 19:10:58 UTC
(In reply to Dani from comment #11)
Hi Dani,

The patch patches both innobase and xtradb paths already.
https://svnweb.freebsd.org/ports/head/databases/mariadb101-server/files/patch-MDEV-12281

If anything else is amiss, do let me know!

Cheers, Bernard.
Comment 14 Bernard Spil freebsd_committer 2017-05-29 19:12:50 UTC
(In reply to Michael Gmelin from comment #12)
Hi Michael,

I always do the porting on a LibreSSL (in base) system. This would require more logs to investigate, got a poudriere log somewhere?

Cheers, Bernard.
Comment 15 Dani I. 2017-05-30 05:07:54 UTC
(In reply to Bernard Spil from comment #13)

Hey Bernard,

it is in the head-branch, but the xtradb patch is missing in the 2017Q2 branch, as far as i can see..

https://svnweb.freebsd.org/ports/branches/2017Q2/databases/mariadb101-server/files/patch-MDEV-12281?revision=441904&view=markup

In my opinion the xtradb patch should be added here too.

Cheers
Dani
Comment 16 Michael Gmelin freebsd_committer 2017-05-30 18:16:02 UTC
Created attachment 183077 [details]
Building mariadb101-client from 2017Q2 branch

Hi Bernard,

This happens on the current quarterly branch (2017Q2), please find build log attached.

Exact tree version:

testq2    svn      2017-05-30 17:22:20 /pdr/ports/testq2

Path: .
Working Copy Root Path: /pdr/ports/testq2
URL: svn://svn.freebsd.org/ports/branches/2017Q2
Relative URL: ^/branches/2017Q2
Repository Root: svn://svn.freebsd.org/ports
Repository UUID: 35697150-7ecd-e111-bb59-0022644237b5
Revision: 442104
Node Kind: directory
Schedule: normal
Last Changed Author: feld
Last Changed Rev: 442061
Last Changed Date: 2017-05-30 13:20:13 +0000 (Tue, 30 May 2017)





Unrelated:
On a HEAD ports tree I see this warning in the QA stage:

===========================================================================
====> Running Q/A tests (stage-qa)
Error: /usr/local/bin/mariabackup is linked to /usr/local/lib/libarchive.so.13 from archiver
Warning: you need USES+=libarchive