openSUSE Security Update: Security update for xtrabackup ______________________________________________________________________________ Announcement ID: openSUSE-SU-2017:0251-1 Rating: moderate References: #1019858 Cross-References: CVE-2016-6225 Affected Products: openSUSE Leap 42.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for xtrabackup fixes the following issues: - CVE-2016-6225: xbcrypt encryption IV not being set properly (boo#1019858) In addition, XtraBackup was updated to 2.3.6 to include the following improvements: - now supports SHA256 passwords - new supports command options for secure connections The following bugs were fixed: - intermittent assertion failures when not correctly identifying server version - Safe slave backup algorithm performed too short delays between retries which could cause backups to fail on a busy servers - fix compilation warnings with gcc6 - Backup would still succeed even if xtrabackup would fail to write the metadata - xbcloud now supports EMC ECS Swift API Authorization requests - backup failed with MariaDB 10.2 with the unsupported server version error message Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.2: zypper in -t patch openSUSE-2017-132=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.2 (x86_64): xtrabackup-2.3.6-3.1 xtrabackup-debuginfo-2.3.6-3.1 xtrabackup-debugsource-2.3.6-3.1 xtrabackup-test-2.3.6-3.1 References: https://www.suse.com/security/cve/CVE-2016-6225.html https://bugzilla.suse.com/1019858