Bug 26818

Marc, Cauldron hasn't been updated yet.  I see it's checked into SVN, but it hasn't been built.

Version: 7 => Cauldron
Whiteboard: (none) => MGA7TOO

sorry. there must have been a build issue and I was busy. Didn't check the repos.

ok, I know why... I didn't have the time to play this file removed, that added...

Nice, it built.  Just needs an advisory.

https://mariadb.com/kb/en/mariadb-10323-release-notes/

mariadb-10.3.23-1.mga7
mysql-MariaDB-10.3.23-1.mga7
mariadb-feedback-10.3.23-1.mga7
mariadb-connect-10.3.23-1.mga7
mariadb-sphinx-10.3.23-1.mga7
mariadb-mroonga-10.3.23-1.mga7
mariadb-sequence-10.3.23-1.mga7
mariadb-spider-10.3.23-1.mga7
mariadb-extra-10.3.23-1.mga7
mariadb-obsolete-10.3.23-1.mga7
mariadb-core-10.3.23-1.mga7
mariadb-common-core-10.3.23-1.mga7
mariadb-common-10.3.23-1.mga7
mariadb-client-10.3.23-1.mga7
mariadb-bench-10.3.23-1.mga7
mariadb-pam-10.3.23-1.mga7
libmariadb3-10.3.23-1.mga7
libmariadb-devel-10.3.23-1.mga7
libmariadbd19-10.3.23-1.mga7
libmariadb-embedded-devel-10.3.23-1.mga7

from mariadb-10.3.23-1.mga7.src.rpm

Status comment: Fixed upstream in 10.3.23 and 10.4.13 => (none)
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Installed and tested without issues.


Tested with:
- mysql CLI;
- MySQL Workbench;
- Qt5 applications using the mysql plugin;
- phpMyAdmin PHP script;
- PHP using PDO/mysql;
- Several complex SQL scripts.

No regressions noticed.


$ uname -a
Linux marte 5.6.14-desktop-2.mga7 #1 SMP Wed May 20 23:14:20 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep -i mariadb | sort
lib64mariadb3-10.3.23-1.mga7
mariadb-10.3.23-1.mga7
mariadb-client-10.3.23-1.mga7
mariadb-common-10.3.23-1.mga7
mariadb-common-core-10.3.23-1.mga7
mariadb-core-10.3.23-1.mga7
mariadb-extra-10.3.23-1.mga7
$ systemctl status mysqld
● mysqld.service - MySQL database server
   Loaded: loaded (/usr/lib/systemd/system/mysqld.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2020-06-19 22:32:39 WEST; 28min ago
  Process: 25191 ExecStartPre=/usr/sbin/mysqld-prepare-db-dir (code=exited, status=0/SUCCESS)
 Main PID: 25205 (mysqld)
   Status: "Taking your SQL requests now..."
    Tasks: 34 (limit: 4697)
   Memory: 62.9M
   CGroup: /system.slice/mysqld.service
           └─25205 /usr/sbin/mysqld

jun 19 22:32:39 marte mysqld[25205]: 2020-06-19 22:32:39 0 [Note] InnoDB: 10.3.23 started; log sequence number 296879548; transaction id 895478
jun 19 22:32:39 marte mysqld[25205]: 2020-06-19 22:32:39 0 [Note] InnoDB: Loading buffer pool(s) from /var/lib/mysql/ib_buffer_pool
jun 19 22:32:39 marte mysqld[25205]: 200619 22:32:39 server_audit: MariaDB Audit Plugin version 1.4.8 STARTED.
jun 19 22:32:39 marte mysqld[25205]: 200619 22:32:39 server_audit: Query cache is enabled with the TABLE events. Some table reads can be veiled.2020-06-19 22:32:39 0 [Note] Reading of all Master_info entries s>
jun 19 22:32:39 marte mysqld[25205]: 2020-06-19 22:32:39 0 [Note] Added new Master_info '' to hash table
jun 19 22:32:39 marte mysqld[25205]: 2020-06-19 22:32:39 0 [Note] /usr/sbin/mysqld: ready for connections.
jun 19 22:32:39 marte mysqld[25205]: Version: '10.3.23-MariaDB'  socket: '/var/lib/mysql/mysql.sock'  port: 0  Mageia MariaDB Server
jun 19 22:32:39 marte systemd[1]: Started MySQL database server.
jun 19 22:32:39 marte mysqld[25205]: 2020-06-19 22:32:39 0 [Note] InnoDB: Buffer pool(s) load completed at 200619 22:32:39

CC: (none) => mageia

thx David.

Advisory:
========================

Updated mariadb packages fix security vulnerabilities:

Vulnerability in the MariaDB Client product of MariaDB (component: C API).
Difficult to exploit vulnerability allows low privileged attacker with network
access via multiple protocols to compromise MariaDB Client. Successful attacks
of this vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MariaDB Client (CVE-2020-2752).

Vulnerability in the MariaDB Server product of MariaDB (component: InnoDB).
Easily exploitable vulnerability allows high privileged attacker with network
access via multiple protocols to compromise MariaDB Server. Successful attacks
of this vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MariaDB Server as well as
unauthorized update, insert or delete access to some of MariaDB Server
accessible data (CVE-2020-2760).

Vulnerability in the MariaDB Server product of MariaDB (component: Server:
Stored Procedure). Easily exploitable vulnerability allows high privileged
attacker with network access via multiple protocols to compromise MariaDB
Server. Successful attacks of this vulnerability can result in unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of
MariaDB Server (CVE-2020-2812).

Vulnerability in the MariaDB Server product of MariaDB (component: InnoDB).
Easily exploitable vulnerability allows high privileged attacker with network
access via multiple protocols to compromise MariaDB Server. Successful attacks
of this vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MariaDB Server (CVE-2020-2814).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2752
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2760
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2812
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2814
https://mariadb.com/kb/en/mariadb-10323-release-notes/

Whiteboard: (none) => MGA7-64-OK

Validating. Advisory in Comment 7.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0284.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED