Bug 30047 - MariaDB: 10.5.15 fixes security Issues
Summary: MariaDB: 10.5.15 fixes security Issues
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-02-14 22:19 CET by Marc Krämer
Modified: 2022-02-18 01:15 CET (History)
4 users (show)

See Also:
Source RPM: mariadb
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Marc Krämer 2022-02-14 22:19:11 CET 
latest mariadb is available, which fixed several CVE's
https://mariadb.com/kb/en/mariadb-10514-release-notes/
https://mariadb.com/kb/en/mariadb-10515-release-notes/

CVE-2021-46665
CVE-2021-46664
CVE-2021-46661
CVE-2021-46668
CVE-2021-46663
CVE-2022-24052
CVE-2022-24051
CVE-2022-24050
CVE-2022-24048
CVE-2021-46659
Comment 1 Marc Krämer 2022-02-15 20:11:22 CET 
Updated mariadb packages fix security vulnerabilities:
InnoDB
- --skip-symbolic-links does not disallow .isl file creation (MDEV-26870)
- Indexed CHAR columns are broken with NO_PAD collations (MDEV-25440)
- insert-intention lock conflicts with waiting ORDINARY lock (MDEV-27025)
- Crash recovery improvements (MDEV-26784, MDEV-27022, MDEV-27183, MDEV-27610)

Galera¶
- Galera updated to 26.4.11
- Galera SST scripts should use ssl_capath (not ssl_ca) for CA directory (MDEV-27181)
- Alter Sequence do not replicate to another nodes with in Galera Cluster (MDEV-19353)
- Galera crash - Assertion. Possible parallel writeset problem (MDEV-26803)
- CREATE TABLE with FOREIGN KEY constraint fails to apply in parallel (MDEV-27276)
- Galera cluster node consider old server_id value even after modification of server_id [wsrep_gtid_mode=ON] (MDEV-26223)

Replication
- Seconds behind master corrected from artificial spikes at relay-log rotation (MDEV-16091)
- Statement rollback in binlog when transaction creates or drop temporary table is set right (MDEV-26833)
- CREATE-or-REPLACE SEQUENCE is made to binlog with the DDL flag to stabilize its parallel execution on slave (MDEV-27365)


References:
https://mariadb.com/kb/en/mariadb-10514-release-notes/
https://mariadb.com/kb/en/mariadb-10515-release-notes/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46665
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46664
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46661
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46668
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46663
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24052
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24051
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24050
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24048
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46659

========================

Updated packages in core/updates_testing:
========================
mariadb-client-10.5.15-1.mga8
mariadb-client-debuginfo-10.5.15-1.mga8
mariadb-core-10.5.15-1.mga8
lib64mariadbd19-10.5.15-1.mga8
lib64mariadb-embedded-devel-10.5.15-1.mga8
mariadb-common-10.5.15-1.mga8
mariadb-bench-debuginfo-10.5.15-1.mga8
mariadb-mroonga-debuginfo-10.5.15-1.mga8
mariadb-debuginfo-10.5.15-1.mga8
mariadb-connect-debuginfo-10.5.15-1.mga8
mariadb-spider-debuginfo-10.5.15-1.mga8
mariadb-connect-10.5.15-1.mga8
mariadb-spider-10.5.15-1.mga8
mariadb-extra-debuginfo-10.5.15-1.mga8
mariadb-sphinx-debuginfo-10.5.15-1.mga8
mariadb-feedback-debuginfo-10.5.15-1.mga8
lib64mariadb3-debuginfo-10.5.15-1.mga8
mariadb-10.5.15-1.mga8
mariadb-obsolete-debuginfo-10.5.15-1.mga8
lib64mariadb3-10.5.15-1.mga8
lib64mariadb-devel-10.5.15-1.mga8
mariadb-common-core-10.5.15-1.mga8
mariadb-extra-10.5.15-1.mga8
mariadb-sequence-debuginfo-10.5.15-1.mga8
mariadb-sphinx-10.5.15-1.mga8
mariadb-obsolete-10.5.15-1.mga8
mariadb-pam-10.5.15-1.mga8
mariadb-pam-debuginfo-10.5.15-1.mga8
mariadb-sequence-10.5.15-1.mga8
mariadb-feedback-10.5.15-1.mga8
lib64mariadb-devel-debuginfo-10.5.15-1.mga8
mysql-MariaDB-10.5.15-1.mga8
mariadb-mroonga-10.5.15-1.mga8
mariadb-rocks-10.5.15-1.mga8
mariadb-obsolete-debuginfo-10.5.15-1.mga8
lib64mariadb3-10.5.15-1.mga8
lib64mariadb-devel-10.5.15-1.mga8
mariadb-common-core-10.5.15-1.mga8
mariadb-extra-10.5.15-1.mga8
mariadb-sequence-debuginfo-10.5.15-1.mga8
mariadb-sphinx-10.5.15-1.mga8
mariadb-obsolete-10.5.15-1.mga8
mariadb-pam-10.5.15-1.mga8
mariadb-pam-debuginfo-10.5.15-1.mga8
mariadb-sequence-10.5.15-1.mga8
mariadb-feedback-10.5.15-1.mga8
lib64mariadb-devel-debuginfo-10.5.15-1.mga8
mysql-MariaDB-10.5.15-1.mga8
mariadb-mroonga-10.5.15-1.mga8
mariadb-rocks-10.5.15-1.mga8
mariadb-debugsource-10.5.15-1.mga8
lib64mariadbd19-debuginfo-10.5.15-1.mga8
mariadb-core-debuginfo-10.5.15-1.mga8
mariadb-bench-10.5.15-1.mga8
mariadb-common-debuginfo-10.5.15-1.mga8
lib64mariadb-embedded-devel-debuginfo-10.5.15-1.mga8
mariadb-rocks-debuginfo-10.5.15-1.mga8


SRPM:
mariadb-10.5.15-1.mga8.src.rpm

Assignee: mageia => qa-bugs

Comment 2 Ulrich Beckmann 2022-02-16 15:17:33 CET 
Tested with Kontact/KMail/Akonadi

2022-02-16 11:00:22 0 [Note] /usr/sbin/mysqld: ready for connections.
Version: '10.5.15-MariaDB'  socket: '/run/user/1000/akonadi/mysql.socket'  port: 0  Mageia MariaDB Server

Invoked as user
$ akonadictl status, ok
$ akonadictl fsck, ok

$ mysql_upgrade -u akonadi --socket=/run/user/1000/akonadi/mysql.socket, ok

No regression found,

Ulrich

CC: (none) => bequimao.de

Comment 3 Herman Viaene 2022-02-17 11:38:56 CET 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
As usually, I want to use phpmyadmin to do some database manipulation. Made sure myqld and httpd are running, but then on starting phpmyadmin I get:
phpMyAdmin - Error

Error during session start; please check your PHP and/or webserver log file and configure your PHP installation properly. Also ensure that cookies are enabled in your browser.

session_start(): Cannot find session serialization handler "igbinary" - session startup failed
Looked up journalctl and /var/log and found some in the httpd/error_log.
It starts with
[Thu Feb 17 11:10:50.505606 2022] [ssl:warn] [pid 15569] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name.

But googling tells me this is rather a warning than a blocking error, so further a load of warnings and then

PHP Warning:  PHP Startup: igbinary: Unable to initialize module\nModule compiled with module API=20200930\nPHP    compiled with module API=20210902\nThese options need to match\n in Unknown on line 0

This is beyond me, so gving up here and I will try some commends at the mysql CLI.

CC: (none) => herman.viaene

Comment 4 Marc Krämer 2022-02-17 12:32:09 CET 
Thanks Herman, I assume you have a mixed php-install. Some php packages have php-8.1 and others php-8.0 - so in this case, php-igbinary is from php-8.0 and you have loaded php-8.1. I think this is the error rpmdrake selects packages from backport even if they are not enabled.
Comment 5 Dave Hodgins 2022-02-17 17:31:08 CET 
While the backports is an issue that needs to be solved, it has a workaround
  urpmi.removemedia -y Back
  Then use "urpmq --not-available to identify the packages that need to be
  downgraded

I've installed the update and phpmyadmin is working as is mariadb.

Oking the update and validating.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-02-17 18:43:05 CET

Keywords: (none) => advisory

Comment 6 Mageia Robot 2022-02-18 01:15:35 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0070.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.