Bug 1524234 (CVE-2017-15365)
Summary: | CVE-2017-15365 mariadb: Replication in sql/event_data_objects.cc occurs before ACL checks | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | apevec, chrisw, databases-maint, dciabrin, hhorak, jjoyce, jorton, jschluet, jstanek, kbasil, lhh, lpeer, markmc, mbayer, mburns, mmuzila, mschorm, praiskup, rbryant, sclewis, slinaber, srevivo, tdecacqu |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | mariadb 10.2.10, mariadb 10.1.30 | Doc Type: | If docs needed, set a value |
Doc Text: |
It was discovered that MariaDB could replicate certain data definition language (DDL) commands to other cluster nodes despite an access control check failure. A user with an SQL access to the server could possibly use this flaw to perform database modification on certain cluster nodes without having privileges to perform such changes.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-05-21 21:02:01 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1524235, 1524767, 1527365, 1558264, 1558265, 1701268 | ||
Bug Blocks: | 1523473 |
Description
Sam Fowler
2017-12-11 01:56:19 UTC
Created mariadb tracking bugs for this issue: Affects: fedora-all [bug 1524235] Created mariadb tracking bugs for this issue: Affects: openstack-rdo [bug 1524767] Hi, upstream says on https://mariadb.com/kb/en/library/security/ that the issue has been fixed in both MariaDB 10.2.10, MariaDB 10.1.30. There are no older versions present in Fedora. Can I just close the Fedora bug, or do we need more complicate fix on downstream side? Yeah, I'm so blind I can't even read my own notes. The Fedora bug was left open till 10.2.10 released in F27. I had long long troubles releasing that (and 10.2.12) update, and I forgot to add it to it as solved. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:1258 https://access.redhat.com/errata/RHSA-2019:1258 |