rh-mariadb101-galera-25.3.12-12.AXS4, rh-mariadb101-mariadb-10.1.29-3.AXS4

MariaDB is a multi-user, multi-threaded SQL database server. For all practical
purposes, MariaDB is binary-compatible with MySQL.

The following packages have been upgraded to a later upstream version:
rh-mariadb101-mariadb (10.1.29). (BZ#1463417, BZ#1517327)

Security Fix(es):

* mysql: insecure error log file handling in mysqld_safe (CPU Oct 2016)
(CVE-2016-5617, CVE-2016-6664)

* mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2017)
(CVE-2017-3238)

* mysql: Server: Charsets unspecified vulnerability (CPU Jan 2017)
(CVE-2017-3243)

* mysql: Server: DML unspecified vulnerability (CPU Jan 2017) (CVE-2017-3244)

* mysql: Server: InnoDB unspecified vulnerability (CPU Jan 2017) (CVE-2017-3257)

* mysql: Server: DDL unspecified vulnerability (CPU Jan 2017) (CVE-2017-3258)

* mysql: unsafe chmod/chown use in init script (CPU Jan 2017) (CVE-2017-3265)

* mysql: unrestricted mysqld_safe's ledir (CPU Jan 2017) (CVE-2017-3291)

* mysql: Server: DML unspecified vulnerability (CPU Apr 2017) (CVE-2017-3308)

* mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2017)
(CVE-2017-3309)

* mysql: insecure error log file handling in mysqld_safe, incomplete
CVE-2016-6664 fix (CPU Jan 2017) (CVE-2017-3312)

* mysql: Server: MyISAM unspecified vulnerability (CPU Jan 2017) (CVE-2017-3313)

* mysql: Logging unspecified vulnerability (CPU Jan 2017) (CVE-2017-3317)

* mysql: Server: Error Handling unspecified vulnerability (CPU Jan 2017)
(CVE-2017-3318)

* mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2017)
(CVE-2017-3453)

* mysql: Server: DML unspecified vulnerability (CPU Apr 2017) (CVE-2017-3456)

* mysql: Server: DDL unspecified vulnerability (CPU Apr 2017) (CVE-2017-3464)

* mysql: Client programs unspecified vulnerability (CPU Jul 2017)
(CVE-2017-3636)

* mysql: Server: DML unspecified vulnerability (CPU Jul 2017) (CVE-2017-3641)

* mysql: Server: Replication unspecified vulnerability (CPU Oct 2017)
(CVE-2017-10268)

* mysql: Server: InnoDB unspecified vulnerability (CPU Oct 2017)
(CVE-2017-10286)

* mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2017)
(CVE-2017-10378)

* mysql: Client programs unspecified vulnerability (CPU Oct 2017)
(CVE-2017-10379)

* mysql: Server: DDL unspecified vulnerability (CPU Oct 2017) (CVE-2017-10384)

* mysql: prepared statement handle use-after-free after disconnect
(CVE-2017-3302)

* mysql: Server: DDL unspecified vulnerability (CPU Jul 2017) (CVE-2017-3653)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in the
References section.

Bug Fix(es):

* Previously, a syntax error in the Galera Arbitrator SysV init script prevented
the garbd daemon from being started when the SysV init script was used. With
this update, the definition of the main daemon binary in the SysV init script
has been fixed, and the described problem no longer occurs. (BZ#1466473)

* Prior to this update, the scl macros were not set for the
rh-mariadb101-mariadb@.service file, which consequently made the service file
unusable. This bug has been fixed, and rh-mariadb101-mariadb@.service now works
as expected. (BZ#1485995)

CVE-2016-5617
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2016-6664.
Reason: This candidate is a reservation duplicate of CVE-2016-6664. Notes: All
CVE users should reference CVE-2016-6664 instead of this candidate. All
references and descriptions in this candidate have been removed to prevent
accidental usage.
CVE-2016-6664
mysqld_safe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and 5.7.x
through 5.7.14; MariaDB; Percona Server before 5.5.51-38.2, 5.6.x before
5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before
5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17, when
using file-based logging, allows local users with access to the mysql account to
gain root privileges via a symlink attack on error logs and possibly other
files.
CVE-2017-3238
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
Server: Optimizer). Supported versions that are affected are 5.5.53 and earlier,
5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability
allows low privileged attacker with network access via multiple protocols to
compromise MySQL Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash (complete
DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
CVE-2017-3243
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
Server: Charsets). Supported versions that are affected are 5.5.53 and earlier.
Difficult to exploit vulnerability allows high privileged attacker with network
access via multiple protocols to compromise MySQL Server. Successful attacks of
this vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score
4.4 (Availability impacts).
CVE-2017-3244
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
Server: DML). Supported versions that are affected are 5.5.53 and earlier,
5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability
allows low privileged attacker with network access via multiple protocols to
compromise MySQL Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash (complete
DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
CVE-2017-3257
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
Server: InnoDB). Supported versions that are affected are 5.6.34 and
earlier5.7.16 and earlier. Easily exploitable vulnerability allows low
privileged attacker with network access via multiple protocols to compromise
MySQL Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash (complete
DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
CVE-2017-3258
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
Server: DDL). Supported versions that are affected are 5.5.53 and earlier,
5.6.34 and earlier and 5.7.16 and earlier. Easily exploitable vulnerability
allows low privileged attacker with network access via multiple protocols to
compromise MySQL Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash (complete
DOS) of MySQL Server. CVSS v3.0 Base Score 6.5 (Availability impacts).
CVE-2017-3265
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
Server: Packaging). Supported versions that are affected are 5.5.53 and earlier,
5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability
allows high privileged attacker with logon to the infrastructure where MySQL
Server executes to compromise MySQL Server. Successful attacks require human
interaction from a person other than the attacker. Successful attacks of this
vulnerability can result in unauthorized access to critical data or complete
access to all MySQL Server accessible data and unauthorized ability to cause a
hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0
Base Score 5.6 (Confidentiality and Availability impacts).
CVE-2017-3291
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
Server: Packaging). Supported versions that are affected are 5.5.53 and earlier,
5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability
allows high privileged attacker with logon to the infrastructure where MySQL
Server executes to compromise MySQL Server. Successful attacks require human
interaction from a person other than the attacker. Successful attacks of this
vulnerability can result in takeover of MySQL Server. CVSS v3.0 Base Score 6.3
(Confidentiality, Integrity and Availability impacts).
CVE-2017-3302
Crash in libmysqlclient.so in Oracle MySQL before 5.6.21 and 5.7.x before 5.7.5
and MariaDB through 5.5.54, 10.0.x through 10.0.29, 10.1.x through 10.1.21, and
10.2.x through 10.2.3.
CVE-2017-3308
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
Server: DML). Supported versions that are affected are 5.5.54 and earlier,
5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability
allows low privileged attacker with network access via multiple protocols to
compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may
significantly impact additional products. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.7
(Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H).
CVE-2017-3309
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
Server: Optimizer). Supported versions that are affected are 5.5.54 and earlier,
5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability
allows low privileged attacker with network access via multiple protocols to
compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may
significantly impact additional products. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.7
(Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H).
CVE-2017-3312
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
Server: Packaging). Supported versions that are affected are 5.5.53 and earlier,
5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability
allows low privileged attacker with logon to the infrastructure where MySQL
Server executes to compromise MySQL Server. Successful attacks require human
interaction from a person other than the attacker. Successful attacks of this
vulnerability can result in takeover of MySQL Server. CVSS v3.0 Base Score 6.7
(Confidentiality, Integrity and Availability impacts).
CVE-2017-3313
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
Server: MyISAM). Supported versions that are affected are 5.5.53 and earlier,
5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability
allows low privileged attacker with logon to the infrastructure where MySQL
Server executes to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized access to critical data or complete
access to all MySQL Server accessible data. CVSS v3.0 Base Score 4.7
(Confidentiality impacts).
CVE-2017-3317
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
Logging). Supported versions that are affected are 5.5.53 and earlier, 5.6.34
and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability allows
high privileged attacker with logon to the infrastructure where MySQL Server
executes to compromise MySQL Server. Successful attacks require human
interaction from a person other than the attacker. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 4.0
(Availability impacts).
CVE-2017-3318
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
Server: Error Handling). Supported versions that are affected are 5.5.53 and
earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit
vulnerability allows high privileged attacker with logon to the infrastructure
where MySQL Server executes to compromise MySQL Server. Successful attacks
require human interaction from a person other than the attacker. Successful
attacks of this vulnerability can result in unauthorized access to critical data
or complete access to all MySQL Server accessible data. CVSS v3.0 Base Score 4.0
(Confidentiality impacts).
CVE-2017-3453
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
Server: Optimizer). Supported versions that are affected are 5.5.54 and earlier,
5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability
allows low privileged attacker with network access via multiple protocols to
compromise MySQL Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash (complete
DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS
Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2017-3456
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
Server: DML). Supported versions that are affected are 5.5.54 and earlier,
5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability
allows high privileged attacker with network access via multiple protocols to
compromise MySQL Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash (complete
DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS
Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2017-3464
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
Server: DDL). Supported versions that are affected are 5.5.54 and earlier,
5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability
allows low privileged attacker with network access via multiple protocols to
compromise MySQL Server. Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of MySQL Server accessible
data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
CVE-2017-3636
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
Client programs). Supported versions that are affected are 5.5.56 and earlier
and 5.6.36 and earlier. Easily exploitable vulnerability allows low privileged
attacker with logon to the infrastructure where MySQL Server executes to
compromise MySQL Server. Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of MySQL Server accessible
data as well as unauthorized read access to a subset of MySQL Server accessible
data and unauthorized ability to cause a partial denial of service (partial DOS)
of MySQL Server. CVSS 3.0 Base Score 5.3 (Confidentiality, Integrity and
Availability impacts). CVSS Vector:
(CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
CVE-2017-3641
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
Server: DML). Supported versions that are affected are 5.5.56 and earlier,
5.6.36 and earlier and 5.7.18 and earlier. Easily exploitable vulnerability
allows high privileged attacker with network access via multiple protocols to
compromise MySQL Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash (complete
DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS
Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2017-3653
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
Server: DDL). Supported versions that are affected are 5.5.56 and earlier,
5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability
allows low privileged attacker with network access via multiple protocols to
compromise MySQL Server. Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of MySQL Server accessible
data. CVSS 3.0 Base Score 3.1 (Integrity impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N).
CVE-2017-10268
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
Server: Replication). Supported versions that are affected are 5.5.57 and
earlier, 5.6.37 and earlier and 5.7.19 and earlier. Difficult to exploit
vulnerability allows high privileged attacker with logon to the infrastructure
where MySQL Server executes to compromise MySQL Server. Successful attacks of
this vulnerability can result in unauthorized access to critical data or
complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 4.1
(Confidentiality impacts). CVSS Vector:
(CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N).
CVE-2017-10286
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
Server: InnoDB). Supported versions that are affected are 5.6.37 and earlier and
5.7.19 and earlier. Difficult to exploit vulnerability allows high privileged
attacker with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized ability to
cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS
3.0 Base Score 4.4 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2017-10378
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier,
5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability
allows low privileged attacker with network access via multiple protocols to
compromise MySQL Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash (complete
DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS
Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2017-10379
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
Client programs). Supported versions that are affected are 5.5.57 and earlier,
5.6.37 and earlier and 5.7.19 and earlier. Easily exploitable vulnerability
allows low privileged attacker with network access via multiple protocols to
compromise MySQL Server. Successful attacks of this vulnerability can result in
unauthorized access to critical data or complete access to all MySQL Server
accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
CVE-2017-10384
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent:
Server: DDL). Supported versions that are affected are 5.5.57 and earlier 5.6.37
and earlier 5.7.19 and earlier. Easily exploitable vulnerability allows low
privileged attacker with network access via multiple protocols to compromise
MySQL Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash (complete
DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS
Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).