| Summary: | mariadb new security issue CVE-2024-21096 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, herman.viaene, mageia, sysadmin-bugs |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | mariadb-10.11.7-1.mga9.src.rpm | CVE: | CVE-2024-21096 |
| Status comment: | Fixed upstream in 10.11.8 | ||
|
Description
Nicolas Salguero
2024-05-21 15:26:27 CEST
Nicolas Salguero
2024-05-21 15:27:03 CEST
Source RPM:
(none) =>
mariadb-10.11.7-1.mga9.src.rpm Marc is the regular packager for MariaDB, so assigning this to you. Assignee:
bugsquad =>
mageia strange, must have missed the version announcement. But I was very busy. Updated MariaDB to fix a new security issue [1,2] Addtional bugs were fixed [3] in the following components: InnoDB Spider Aria Backup JSON Optimization & Tuning Plugins Galera Scripts & Clients Server For the deatails see the vendor site [3] References: [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21096 [2] https://lwn.net/Articles/974440/ [3] https://mariadb.com/kb/en/mariadb-10-11-8-release-notes/ ======================== Updated packages in core/updates_testing: ======================== mariadb-client-10.11.8-1.mga9 mariadb-client-debuginfo-10.11.8-1.mga9 lib64mariadbd19-10.11.8-1.mga9 mariadb-core-10.11.8-1.mga9 lib64mariadb-embedded-devel-10.11.8-1.mga9 mariadb-mroonga-debuginfo-10.11.8-1.mga9 lib64mariadb-devel-10.11.8-1.mga9 mariadb-common-10.11.8-1.mga9 mariadb-spider-debuginfo-10.11.8-1.mga9 mariadb-rocks-10.11.8-1.mga9 mariadb-mroonga-10.11.8-1.mga9 mariadb-bench-debuginfo-10.11.8-1.mga9 mariadb-debuginfo-10.11.8-1.mga9 mariadb-s3-engine-10.11.8-1.mga9 mariadb-feedback-debuginfo-10.11.8-1.mga9 mariadb-connect-debuginfo-10.11.8-1.mga9 mariadb-extra-debuginfo-10.11.8-1.mga9 mariadb-connect-10.11.8-1.mga9 mariadb-10.11.8-1.mga9 mariadb-spider-10.11.8-1.mga9 mariadb-sphinx-debuginfo-10.11.8-1.mga9 mariadb-s3-engine-debuginfo-10.11.8-1.mga9 lib64mariadb3-debuginfo-10.11.8-1.mga9 mariadb-obsolete-debuginfo-10.11.8-1.mga9 mariadb-common-core-10.11.8-1.mga9 lib64mariadb3-10.11.8-1.mga9 mariadb-sequence-debuginfo-10.11.8-1.mga9 mariadb-extra-10.11.8-1.mga9 mariadb-sphinx-10.11.8-1.mga9 mariadb-obsolete-10.11.8-1.mga9 mariadb-pam-debuginfo-10.11.8-1.mga9 mariadb-pam-10.11.8-1.mga9 mariadb-sequence-10.11.8-1.mga9 mysql-MariaDB-10.11.8-1.mga9 lib64mariadb-devel-debuginfo-10.11.8-1.mga9 mariadb-feedback-10.11.8-1.mga9 lib64mariadbd19-debuginfo-10.11.8-1.mga9 mariadb-debugsource-10.11.8-1.mga9 mariadb-core-debuginfo-10.11.8-1.mga9 mariadb-bench-10.11.8-1.mga9 mariadb-common-debuginfo-10.11.8-1.mga9 mariadb-rocks-debuginfo-10.11.8-1.mga9 lib64mariadb-embedded-devel-debuginfo-10.11.8-1.mga9 SRPM: mariadb-10.11.8-1.mga9.src.rpm Assignee:
mageia =>
qa-bugs
katnatek
2024-05-23 23:34:51 CEST
Keywords:
(none) =>
advisory MGA9-64 Plasma Wayland on HP-Pavillion
No installation issues, omitting debuginfo's
# systemctl start httpd
# systemctl start mysqld
# systemctl -l status mysqld
● mysqld.service - MySQL database server
Loaded: loaded (/usr/lib/systemd/system/mysqld.service; disabled; preset: disabled)
Active: active (running) since Fri 2024-05-24 14:01:07 CEST; 20s ago
Process: 21914 ExecStartPre=/usr/sbin/mysqld-prepare-db-dir (code=exited, status=0/SUCCESS)
Main PID: 21928 (mysqld)
Status: "Taking your SQL requests now..."
Tasks: 22 (limit: 4495)
Memory: 101.8M
CPU: 1.666s
CGroup: /system.slice/mysqld.service
└─21928 /usr/sbin/mysqld
May 24 14:00:46 mach4.hviaene.thuis mysqld[21928]: 2024-05-24 14:00:46 0 [Note] InnoDB: Setting file './ibtmp1' size to 12.000MiB. Physi>
May 24 14:00:46 mach4.hviaene.thuis mysqld[21928]: 2024-05-24 14:00:46 0 [Note] InnoDB: File './ibtmp1' size is now 12.000MiB.
May 24 14:00:46 mach4.hviaene.thuis mysqld[21928]: 2024-05-24 14:00:46 0 [Note] InnoDB: log sequence number 72212; transaction id 48
May 24 14:00:46 mach4.hviaene.thuis mysqld[21928]: 2024-05-24 14:00:46 0 [Note] InnoDB: Loading buffer pool(s) from /var/lib/mysql/ib_bu>
May 24 14:00:46 mach4.hviaene.thuis mysqld[21928]: 2024-05-24 14:00:46 0 [Note] InnoDB: Buffer pool(s) load completed at 240524 14:00:46
May 24 14:00:46 mach4.hviaene.thuis mysqld[21928]: 2024-05-24 14:00:46 0 [Note] CONNECT: Version 1.07.0002 March 22, 2021
May 24 14:00:47 mach4.hviaene.thuis mysqld[21928]: 240524 14:00:47 server_audit: MariaDB Audit Plugin version 1.4.14 STARTED.
May 24 14:01:07 mach4.hviaene.thuis mysqld[21928]: 240524 14:00:47 server_audit: Query cache is enabled with the TABLE events. Some tabl>
May 24 14:01:07 mach4.hviaene.thuis mysqld[21928]: Version: '10.11.8-MariaDB' socket: '/var/lib/mysql/mysql.sock' port: 0 Mageia Mari>
May 24 14:01:07 mach4.hviaene.thuis systemd[1]: Started mysqld.service.
Used phpmyadmin to delete an existing database, created a new one, created one new table with serial field as primary key, one varchar as unique key, one plain varchar, one timestamp with current_timestamp as default.
Table created OK, inserted some values, all OK.CC:
(none) =>
herman.viaene Installed and tested without issues.
Tested with:
- mysql CLI;
- dbeaver-ce;
- mysql workstation;
- PHP scripts (e.g. phpmyadmin, roundcubemail, nextcloud, wordpress);
- Qt6 applications using the QSqlMySql plugin driver;
- systemd restricted service for improved security (see override.conf file below).
All OK.
System: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz.
$ uname -a
Linux marte 6.6.28-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Wed Apr 17 17:19:36 UTC 2024 x86_64 GNU/Linux
$ rpm -qa | grep mariadb | sort
lib64mariadb3-10.11.8-1.mga9
mariadb-10.11.8-1.mga9
mariadb-client-10.11.8-1.mga9
mariadb-common-10.11.8-1.mga9
mariadb-common-core-10.11.8-1.mga9
mariadb-core-10.11.8-1.mga9
mariadb-extra-10.11.8-1.mga9
$ systemctl status mysqld.service
● mysqld.service - MySQL database server
Loaded: loaded (/usr/lib/systemd/system/mysqld.service; enabled; preset: disabled)
Drop-In: /etc/systemd/system/mysqld.service.d
└─override.conf
Active: active (running) since Fri 2024-05-24 08:00:03 WEST; 7h ago
Process: 1972738 ExecStartPre=/usr/sbin/mysqld-prepare-db-dir (code=exited, status=0/SUCCESS)
Main PID: 1972752 (mysqld)
Status: "Taking your SQL requests now..."
Tasks: 20 (limit: 19042)
Memory: 153.0M
CPU: 12min 57.037s
CGroup: /system.slice/mysqld.service
└─1972752 /usr/sbin/mysqld
$ cat /etc/systemd/system/mysqld.service.d/override.conf
# If "skip-networking" is set in the configuration then "AF_INET AF_INET6"
# should be removed from RestrictAddressFamilies and PrivateNetwork=should
# be set to "yes".
[Service]
PrivateNetwork=yes
PrivateUsers=yes
PrivateTmp=yes
PrivateDevices=yes
DevicePolicy=closed
UMask=0077
NoNewPrivileges=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RemoveIPC=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX
#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~ @privileged @resources
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectSystem=strict
AmbientCapabilities=
CapabilityBoundingSet=
StateDirectory=mysql
RuntimeDirectory=mysqld
LogsDirectory=mysqldCC:
(none) =>
mageia Herman and/or PC LX test are considered good in previous rounds CC:
(none) =>
andrewsfarm Validating. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0195.html Status:
NEW =>
RESOLVED |