Security updates for MariaDB
In December 2012, a number of vulnerabilities in MySQL and its clones were revealed. Two of the issues were dealt with by the MariaDB developers almost immediately, while others were left outstanding. Now, MariaDB developers have released updates which address the other issues.
CVE-2012-5627, a long-known issue which allowed a user with existing credentials to carry out an accelerated brute force attack on other users' credentials, has been addressed by adding a delay to the process of changing from one user account to another and also by spotting persistent failed attempts at changing the user. CVE-2012-5615, which allowed an attacker to more easily establish user names, has also been fixed. A variant of CVE-2012-5611, a stack-based buffer overflow which could allow for remote authenticated users to execute code, has been corrected. There are also fixes for crashes and server lock-ups. The new updates include upstream fixes like Oracle's fix for CVE-2012-5612 (a heap buffer overflow with effects ranging from denial of service to arbitrary code execution).
The available updates include MariaDB 5.5.29, 5.3.12, 5.2.14 and 5.1.67. MariaDB 5.5.29 builds for Fedora 18 and Ubuntu 12.10 are also now available. From 1 February, the project will no longer provide builds for Fedora 16, Debian 5 and Ubuntu 10.10 and 11.04.