32574 – galera new security issue CVE-2023-22084

Bug 32574 - galera new security issue CVE-2023-22084

Summary: galera new security issue CVE-2023-22084

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-11-27 17:24 CET by Nicolas Salguero
Modified:	2023-12-04 10:31 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	galera-26.4.14-2.mga10.src.rpm
CVE:
Status comment:	Fixed upstream in 26.4.16

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2023-11-27 17:24:58 CET

Fedora has issue an advisory on November 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5LWEA37QIYXWYCX7KTOSNYCEZNE2XHEX/

Mageia 9 is also affected.

Nicolas Salguero 2023-11-27 17:25:43 CET

Status comment: (none) => Fixed upstream in 26.4.16
Source RPM: (none) => galera-26.4.14-2.mga10.src.rpm
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2023-11-27 21:20:19 CET

I see DavidG has already put version: 26.4.16 in Cauldron.
Is it OK to assigning this to you for the M9 bit? (+ advisory)

Assignee: bugsquad => geiger.david68210

Comment 2 David GEIGER 2023-11-27 21:53:47 CET

Assigning to QA,

Packages in 9/Core/Updates_testing:
======================
galera-26.4.16-1.mga9

From SRPMS:
galera-26.4.16-1.mga9.src.rpm

Version: Cauldron => 9
Assignee: geiger.david68210 => qa-bugs

Comment 3 Marja Van Waes 2023-11-28 14:04:22 CET

Advisory with SRPM from comment 2 added to SVN

CC: (none) => marja11
Whiteboard: MGA9TOO => (none)
Keywords: (none) => advisory

Comment 4 Len Lawrence 2023-11-28 20:26:25 CET

Mageia9, x86_64

A search online provides this description:
Galera Cluster is a synchronous multi-master database cluster, based on synchronous replication and MySQL and InnoDB. When Galera Cluster is in use, database reads and writes can be directed to any node. Any individual node can be lost without interruption in operations and without using complex failover procedures.

Certainly above my pay grade.  It is one of those packages which really needs to be tested by somebody with an interest in it.  It updates cleanly.  Shall pass it on tomorrow if nobody else wishes to test it.

CC: (none) => tarazed25

Comment 5 Herman Viaene 2023-11-30 16:05:46 CET

Had a look at https://mariadb.com/kb/en/getting-started-with-mariadb-galera-cluster/ but configuring this is !!!?????
There seemed to be an easy way to get something going, but
# galera_new_cluster
-bash: galera_new_cluster: command not found
In that status I agree with Len: if nobody shows up with more in-depth knowledge, let the update go.

CC: (none) => herman.viaene

Comment 6 Dave Hodgins 2023-11-30 19:36:24 CET

Mageia does not have mysql-wsrep
https://github.com/codership/mysql-wsrep/blob/5.6/Docs/README-wsrep

Without it, galera can only be used with third party software. In such a
case, it's normal to validate based on a clean install over the prior version.

CC: (none) => davidwhodgins

Comment 7 Thomas Andrews 2023-12-01 21:30:13 CET

Thanks, Dave. Good to see you still have our backs if we need it.

Len said he had a clean install. Herman didn't say, but without a clean install trying a command makes no sense, so he probably had one, too.

Giving this an OK, and validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-64-OK

Comment 8 Mageia Robot 2023-12-04 10:31:01 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0337.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.