An update for mariadb-galera is now available for Red Hat Enterprise LinuxOpenStack Platform 5.0 (Icehouse) for RHEL 7.Red Hat Product Security has rated this update as having a security impact ofImportant.
A Common Vulnerability Scoring System (CVSS) base score, which givesa detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
MariaDB is a multi-user, multi-threaded SQL database server that is binarycompatible with MySQL.
Galera is a synchronous multi-master cluster for MariaDB.Security Fix(es):* It was discovered that the MySQL logging functionality allowed writing toMySQL configuration files.
An administrative database user, or a database userwith FILE privileges, could possibly use this flaw to run arbitrary commandswith root privileges on the system running the database server. (CVE-2016-6662)Bug Fix(es):* Because Red Hat Enterprise Linux 7.3 changed the return format of the”systemctl is-enabled” command as consumed by shell scripts, the mariadb-galeraRPM package, upon installation, erroneously detected that the MariaDB servicewas enabled when it was not.
As a result, the Red Hat OpenStack Platforminstaller, which then tried to run mariadb-galera using Pacemaker and notsystemd, failed to start Galera. With this update, mariadb-galera’s RPMinstallation scripts now use a different systemctl command, correctly detectingthe default MariaDB as disabled, and the installer can succeed. (BZ#1376908)* Previously, both the mariadb-server and mariadb-galera-server packages shippedthe client-facing libraries, dialog.so and mysql_clear_password.so.
As a result,the mariadb-galera-server package would fail to install because of packageconflicts. With this update, these libraries have been moved frommariadb-galera-server to mariadb-libs, and the mariadb-galera-server packageinstalls successfully. (BZ#1376902)
For details on how to apply this update, which includes the changes described inthis advisory, refer to:https://access.redhat.com/articles/11258After installing this update, the MariaDB server daemon (mysqld) will berestarted automatically.
1375198 – CVE-2016-6662 mysql: general_log can write to configuration files, leading to privilege escalation1376902 – RHEL 7.3 upgrades fails on upgrade because of mariadb-libs package conflict.1376908 – mysqld service prevents haproxy to get started and deployment fails
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: