Bug 27375

Summary: MariaDB new security issues
Product: Mageia Reporter: Marc Krämer <mageia>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: mariadb CVE:
Status comment:

Description Marc Krämer 2020-10-08 12:13:25 CEST 
new version fixes security issue (not yet know which one...)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15180
https://mariadb.com/kb/en/mariadb-10325-release-notes/
Comment 1 Marc Krämer 2020-10-08 18:44:26 CEST 
Updated mariadb packages fix security vulnerabilitiy:

This update fixes a security vulnerabilitiy [1]

References:
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15180
[2] https://mariadb.com/kb/en/mariadb-10325-release-notes/
========================

Updated packages in core/updates_testing:
========================
mariadb-10.3.25-1.mga7
mysql-MariaDB-10.3.25-1.mga7
mariadb-feedback-10.3.25-1.mga7
mariadb-connect-10.3.25-1.mga7
mariadb-sphinx-10.3.25-1.mga7
mariadb-mroonga-10.3.25-1.mga7
mariadb-sequence-10.3.25-1.mga7
mariadb-spider-10.3.25-1.mga7
mariadb-extra-10.3.25-1.mga7
mariadb-obsolete-10.3.25-1.mga7
mariadb-core-10.3.25-1.mga7
mariadb-common-core-10.3.25-1.mga7
mariadb-common-10.3.25-1.mga7
mariadb-client-10.3.25-1.mga7
mariadb-bench-10.3.25-1.mga7
mariadb-pam-10.3.25-1.mga7
libmariadb3-10.3.25-1.mga7
libmariadb-devel-10.3.25-1.mga7
libmariadbd19-10.3.25-1.mga7
libmariadb-embedded-devel-10.3.25-1.mga7
mariadb-debugsource-10.3.25-1.mga7
mariadb-debuginfo-10.3.25-1.mga7
mariadb-feedback-debuginfo-10.3.25-1.mga7
mariadb-connect-debuginfo-10.3.25-1.mga7
mariadb-sphinx-debuginfo-10.3.25-1.mga7
mariadb-mroonga-debuginfo-10.3.25-1.mga7
mariadb-sequence-debuginfo-10.3.25-1.mga7
mariadb-spider-debuginfo-10.3.25-1.mga7
mariadb-extra-debuginfo-10.3.25-1.mga7
mariadb-obsolete-debuginfo-10.3.25-1.mga7
mariadb-core-debuginfo-10.3.25-1.mga7
mariadb-common-debuginfo-10.3.25-1.mga7
mariadb-client-debuginfo-10.3.25-1.mga7
mariadb-bench-debuginfo-10.3.25-1.mga7
mariadb-pam-debuginfo-10.3.25-1.mga7
libmariadb3-debuginfo-10.3.25-1.mga7
libmariadbd19-debuginfo-10.3.25-1.mga7
libmariadb-embedded-devel-debuginfo-10.3.25-1.mga7

Source RPMs: 
mariadb-10.3.25-1.mga7.src.rpm

Assignee: mageia => qa-bugs

Comment 2 Marc Krämer 2020-10-08 18:46:11 CEST 
when vulnerabilitiy is known, we can change the text, but I assume it is severe, so let's do qa, and maybe push it without knowing details (yet).
Comment 3 Dave Hodgins 2020-10-09 01:00:38 CEST 
Mageia 7 x86_64 system.

Update installed cleanly.

After installing the update, ran "mysql_upgrade -u root -p" to ensure mysql
tables are up to date.

Used http://127.0.0.1/phpmyadmin to create a database, and a table with a couple
of rows.

Validating update.

CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => validated_update

Dave Hodgins 2020-10-09 01:05:09 CEST

Keywords: (none) => advisory

Comment 4 David Walser 2020-10-09 01:11:49 CEST 
Apparently this commit is the fix for the issue, and it's believed to be serious:
https://github.com/MariaDB/server/commit/418850b2df4256da5a722288c2657650dc228842

It sounds like some sort of injection vulnerability.
Comment 5 Mageia Robot 2020-10-13 14:40:10 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0382.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED