diff --git a/.gitignore b/.gitignore
index e70ab19..cacc57a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/mariadb-5.5.52.tar.gz
+SOURCES/mariadb-5.5.56.tar.gz
diff --git a/.mariadb.metadata b/.mariadb.metadata
index b97ba17..940a6fd 100644
--- a/.mariadb.metadata
+++ b/.mariadb.metadata
@@ -1 +1 @@
-bbedcc0eba7580d1ef16f2dfe4868cf9f31a636d SOURCES/mariadb-5.5.52.tar.gz
+7edaedfdc1bc6ee1856925cd9bf67c3ed2924a75 SOURCES/mariadb-5.5.56.tar.gz
diff --git a/SOURCES/mariadb-prepare-db-dir b/SOURCES/mariadb-prepare-db-dir
index 8a7d3e1..e8a284b 100644
--- a/SOURCES/mariadb-prepare-db-dir
+++ b/SOURCES/mariadb-prepare-db-dir
@@ -9,9 +9,13 @@
# We use my_print_defaults which prints all options from multiple files,
# with the more specific ones later; hence take the last match.
get_mysql_option(){
+ if [ $# -ne 3 ] ; then
+ echo "get_mysql_option requires 3 arguments: section option default_value"
+ return
+ fi
result=`/usr/bin/my_print_defaults "$1" | sed -n "s/^--$2=//p" | tail -n 1`
if [ -z "$result" ]; then
- # not found, use default
+ # if not found, use the default value
result="$3"
fi
}
@@ -24,6 +28,8 @@ errlogfile="$result"
get_mysql_option mysqld socket "$datadir/mysql.sock"
socketfile="$result"
+
+
# Absorb configuration settings from the specified systemd service file,
# or the default "mysqld" service if not specified
SERVICE_NAME="$1"
@@ -46,11 +52,28 @@ then
mygroup=mysql
fi
+
+
# Set up the errlogfile with appropriate permissions
-touch "$errlogfile"
-chown "$myuser:$mygroup" "$errlogfile"
-chmod 0640 "$errlogfile"
-[ -x /sbin/restorecon ] && /sbin/restorecon "$errlogfile"
+if [ ! -e "$errlogfile" -a ! -h "$errlogfile" -a x$(dirname "$errlogfile") = "x/var/log" ]; then
+ case $(basename "$errlogfile") in
+ mysql*.log|mariadb*.log) install /dev/null -m0640 -o$myuser -g$mygroup "$errlogfile" ;;
+ *) ;;
+ esac
+else
+ # Provide some advice if the log file cannot be created by this script
+ errlogdir=$(dirname "$errlogfile")
+ if ! [ -d "$errlogdir" ] ; then
+ echo "The directory $errlogdir does not exist."
+ exit 1
+ elif [ -e "$errlogfile" -a ! -w "$errlogfile" ] ; then
+ echo "The log file $errlogfile cannot be written, please, fix its permissions."
+ echo "The daemon will be run under $myuser:$mygroup"
+ exit 1
+ fi
+fi
+
+
# We check if there is already a process using the socket file,
# since otherwise this systemd service file could report false
@@ -62,8 +85,33 @@ if fuser "$socketfile" &>/dev/null ; then
exit 1
fi
-# Make the data directory
-if [ ! -d "$datadir/mysql" ] ; then
+
+
+export LC_ALL=C
+
+# Returns content of the specified directory
+# If listing files fails, fake-file is returned so which means
+# we'll behave like there was some data initialized
+# Some files or directories are fine to be there, so those are
+# explicitly removed from the listing
+# @param <dir> datadir
+list_datadir ()
+{
+ ( ls -1A "$1" 2>/dev/null || echo "fake-file" ) | grep -v \
+ -e '^lost+found$' \
+ -e '\.err$' \
+ -e '^.bash_history$'
+}
+
+# Checks whether datadir should be initialized
+# @param <dir> datadir
+should_initialize ()
+{
+ test -z "$(list_datadir "$1")"
+}
+
+# Make the data directory if doesn't exist or empty
+if should_initialize "$datadir" ; then
# First, make sure $datadir is there with correct permissions
# (note: if it's not, and we're not root, this'll fail ...)
if [ ! -e "$datadir" -a ! -h "$datadir" ]
@@ -74,21 +122,49 @@ if [ ! -d "$datadir/mysql" ] ; then
chmod 0755 "$datadir"
[ -x /sbin/restorecon ] && /sbin/restorecon "$datadir"
+
+
# Now create the database
- echo "Initializing MySQL database"
- /usr/bin/mysql_install_db --datadir="$datadir" --user="$myuser"
+ echo "Initializing MariaDB database"
+ # Avoiding deletion of files not created by mysql_install_db is
+ # guarded by time check and sleep should help work-arounded
+ # potential issues on systems with 1 second resolution timestamps
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1335849#c19
+ INITDB_TIMESTAMP=`LANG=C date -u`
+ sleep 1
+ /usr/bin/mysql_install_db --rpm --datadir="$datadir" --user="$myuser"
ret=$?
if [ $ret -ne 0 ] ; then
- echo "Initialization of MySQL database failed." >&2
- echo "Perhaps /etc/my.cnf is misconfigured." >&2
+ echo "Initialization of MariaDB database failed." >&2
+ echo "Perhaps @sysconfdir@/my.cnf is misconfigured or there is some problem with permissions of $datadir." >&2
# Clean up any partially-created database files
- if [ ! -e "$datadir/mysql/user.frm" ] ; then
- rm -rf "$datadir"/*
+ if [ ! -e "$datadir/mysql/user.frm" ] && [ -d "$datadir" ] ; then
+ echo "Initialization of MariaDB database was not finished successfully." >&2
+ echo "Files created so far will be removed." >&2
+ find "$datadir" -mindepth 1 -maxdepth 1 -newermt "$INITDB_TIMESTAMP" \
+ -not -name "lost+found" -exec rm -rf {} +
+ if [ $? -ne 0 ] ; then
+ echo "Removing of created files was not successfull." >&2
+ echo "Please, clean directory $datadir manually." >&2
+ fi
+ else
+ echo "However, part of data has been initialized and those will not be removed." >&2
+ echo "Please, clean directory $datadir manually." >&2
fi
exit $ret
fi
- # In case we're running as root, make sure files are owned properly
- chown -R "$myuser:$mygroup" "$datadir"
+else
+ if [ -d "$datadir/mysql/" ] ; then
+ # mysql dir exists, it seems data are initialized properly
+ echo "Database MariaDB is probably initialized in $datadir already, nothing is done."
+ echo "If this is not the case, make sure the $datadir is empty before running `basename $0`."
+ else
+ # if the directory is not empty but mysql/ directory is missing, then
+ # print error and let user to initialize manually or empty the directory
+ echo "Database MariaDB is not initialized, but the directory $datadir is not empty, so initialization cannot be done."
+ echo "Make sure the $datadir is empty before running `basename $0`."
+ exit 1
+ fi
fi
exit 0
diff --git a/SOURCES/rh-skipped-tests-arm.list b/SOURCES/rh-skipped-tests-arm.list
deleted file mode 100644
index a6ae9bf..0000000
--- a/SOURCES/rh-skipped-tests-arm.list
+++ /dev/null
@@ -1,8 +0,0 @@
-
-# Disable perfschema.func_file_io and perfschema.func_mutex, which fail
-# because cycle counter returns 0 every time on ARM architectures.
-# This is caused by missing hardware performance counter support on ARM.
-# Discussion about fixing that can be found in RH bug #741325.
-
-perfschema.func_file_io : rhbz#773116 cycle counter does not work on arm
-perfschema.func_mutex : rhbz#773116 cycle counter does not work on arm
diff --git a/SOURCES/rh-skipped-tests-base.list b/SOURCES/rh-skipped-tests-base.list
index 1a73c03..6c7a1d5 100644
--- a/SOURCES/rh-skipped-tests-base.list
+++ b/SOURCES/rh-skipped-tests-base.list
@@ -1,5 +1,3 @@
-# Disable innodb.innodb, which is showing platform-dependent results
-# as of 5.5.9. Upstream at http://bugs.mysql.com/bug.php?id=60155
-
-innodb.innodb : bug#60155 has platform-dependent results
+# Tests and a bug where we track the failure in the following format:
+# suite.test : rhbz#1234567
diff --git a/SPECS/mariadb.spec b/SPECS/mariadb.spec
index 73c737d..ed226cf 100644
--- a/SPECS/mariadb.spec
+++ b/SPECS/mariadb.spec
@@ -3,8 +3,8 @@
%bcond_with tokudb
Name: mariadb
-Version: 5.5.52
-Release: 1%{?dist}
+Version: 5.5.56
+Release: 2%{?dist}
Epoch: 1
Summary: A community developed branch of MySQL
@@ -34,7 +34,6 @@ Source11: mariadb.service
Source12: mariadb-prepare-db-dir
Source13: mariadb-wait-ready
Source14: rh-skipped-tests-base.list
-Source15: rh-skipped-tests-arm.list
Source16: README.mysql-cnf
# Working around perl dependency checking bug in rpm FTTB. Remove later.
Source999: filter-requires-mysql.sh
@@ -62,6 +61,8 @@ BuildRequires: time procps
# perl modules needed to run regression tests
BuildRequires: perl(Socket), perl(Time::HiRes)
BuildRequires: perl(Data::Dumper), perl(Test::More), perl(Env)
+# version 5.5.56+ requires checkpolicy and policycoreutils-python
+BuildRequires: checkpolicy policycoreutils-python
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: grep, fileutils, bash
@@ -226,22 +227,13 @@ rm -f mysql-test/t/ssl_8k_key-master.opt
# generate a list of tests that fail, but are not disabled by upstream
cat %{SOURCE14} > mysql-test/rh-skipped-tests.list
-# disable some tests failing on ARM architectures
-%ifarch %{arm} aarch64
-cat %{SOURCE15} >> mysql-test/rh-skipped-tests.list
-%endif
-# disable some tests failing on ppc and s390
-%ifarch ppc %{power64} s390 s390x aarch64
-echo "main.gis-precise : rhbz#906367" >> mysql-test/rh-skipped-tests.list
+# disable some tests failing on particular aches
+%ifarch aarch64
+echo "perfschema.dml_setup_timers : rhbz#1449880" >> mysql-test/rh-skipped-tests.list
%endif
%ifarch i686
echo "main.mysql_client_test_nonblock : rhbz#1021450" >> mysql-test/rh-skipped-tests.list
%endif
-%ifarch %{power64}
-echo "rpl.rpl_insert : rhbz#1125605" >> mysql-test/rh-skipped-tests.list
-echo "rpl.rpl_insert_delayed : rhbz#1125605" >> mysql-test/rh-skipped-tests.list
-echo "main.mysqlslap : rhbz#1125605" >> mysql-test/rh-skipped-tests.list
-%endif
%build
@@ -346,9 +338,10 @@ done
(
cd mysql-test
perl ./mysql-test-run.pl --force --retry=0 \
+ --skip-test-list=rh-skipped-tests.list \
--suite-timeout=720 --testcase-timeout=30 \
--mysqld=--binlog-format=mixed --force-restart \
- --shutdown-timeout=60 || :
+ --shutdown-timeout=60
# cmake build scripts will install the var cruft if left alone :-(
rm -rf var
)
@@ -475,7 +468,6 @@ rm -f ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d/mysql
# remove doc files that we rather pack using %%doc
rm -f ${RPM_BUILD_ROOT}%{_datadir}/doc/COPYING
-rm -f ${RPM_BUILD_ROOT}%{_datadir}/doc/COPYING.LESSER
rm -f ${RPM_BUILD_ROOT}%{_datadir}/doc/INFO_BIN
rm -f ${RPM_BUILD_ROOT}%{_datadir}/doc/INFO_SRC
rm -f ${RPM_BUILD_ROOT}%{_datadir}/doc/INSTALL-BINARY
@@ -524,7 +516,7 @@ fi
%postun embedded -p /sbin/ldconfig
%files
-%doc README COPYING COPYING.LESSER README.mysql-license
+%doc README COPYING README.mysql-license
%doc storage/innobase/COPYING.Percona storage/innobase/COPYING.Google
%doc README.mysql-docs
@@ -566,7 +558,7 @@ fi
%config(noreplace) %{_sysconfdir}/my.cnf.d/client.cnf
%files libs
-%doc README COPYING COPYING.LESSER README.mysql-license
+%doc README COPYING README.mysql-license
%doc storage/innobase/COPYING.Percona storage/innobase/COPYING.Google
# although the default my.cnf contains only server settings, we put it in the
# libs package because it can be used for client settings too.
@@ -623,6 +615,7 @@ fi
%{_bindir}/mysqldumpslow
%{_bindir}/mysqld_multi
%{_bindir}/mysqld_safe
+%{_bindir}/mysqld_safe_helper
%{_bindir}/mysqlhotcopy
%{_bindir}/mysqltest
%{_bindir}/innochecksum
@@ -706,7 +699,7 @@ fi
%{_mandir}/man1/mysql_config.1*
%files embedded
-%doc README COPYING COPYING.LESSER README.mysql-license
+%doc README COPYING README.mysql-license
%doc storage/innobase/COPYING.Percona storage/innobase/COPYING.Google
%{_libdir}/mysql/libmysqld.so.*
@@ -728,6 +721,33 @@ fi
%{_mandir}/man1/mysql_client_test.1*
%changelog
+* Thu Jun 08 2017 Honza Horak <hhorak@redhat.com> - 1:5.5.56-2
+- Do not fix context and change owner if run by root in mariadb-prepare-db-dir
+ Related: #1458940
+- Check properly that datadir includes only expected files
+ Related: #1356897
+
+* Mon Jun 05 2017 Honza Horak <hhorak@redhat.com> - 1:5.5.56-1
+- Rebase to 5.5.56
+ That release also fixes the following security issues:
+ CVE-2016-5617/CVE-2016-6664 CVE-2017-3312 CVE-2017-3238 CVE-2017-3243
+ CVE-2017-3244 CVE-2017-3258 CVE-2017-3313 CVE-2017-3317 CVE-2017-3318
+ CVE-2017-3291 CVE-2017-3302 CVE-2016-5483/CVE-2017-3600 CVE-2017-3308
+ CVE-2017-3309 CVE-2017-3453 CVE-2017-3456 CVE-2017-3464
+ Resolves: #1458933
+ New deps required by upstream: checkpolicy and policycoreutils-python
+ License text removed by upstream: COPYING.LESSER
+ Do not ignore test-suite failure
+ Downstream script mariadb-prepare-db-dir fixed for CVE-2017-3265
+ Resolves: #1458940
+
+* Tue Mar 21 2017 Michal Schorm <mschorm@redhat.com> - 5.5.52-2
+- Extension of mariadb-prepare-db-dir script
+- Resolves: #1356897
+
+- Rebase to 5.5.52, that also include fix for CVE-2016-6662
+ Resolves: #1377974
+
* Wed Sep 21 2016 Honza Horak <hhorak@redhat.com> - 5.5.52-1
- Rebase to 5.5.52, that also include fix for CVE-2016-6662
Resolves: #1377974