34342 – mariadb new security issues CVE-2023-52969, CVE-2023-5297[01], CVE-2025-30693, CVE-2025-30722

Bug 34342 - mariadb new security issues CVE-2023-52969, CVE-2023-5297[01], CVE-2025-30693, CVE-2025-30722

Summary: mariadb new security issues CVE-2023-52969, CVE-2023-5297[01], CVE-2025-30693...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9TOO MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-06-03 17:05 CEST by Nicolas Salguero
Modified:	2025-06-11 19:44 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	mariadb-11.7.2-5.mga10.src.rpm, mariadb-11.4.5-3.mga9.src.rpm
CVE:	CVE-2023-52969, CVE-2023-52970, CVE-2023-52971, CVE-2025-30693, CVE-2025-30722
Status comment:	Fixed upstream in 11.4.6 and 11.8.2

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-06-03 17:05:31 CEST

Ubuntu has issued an advisory on June 2:
https://ubuntu.com/security/notices/USN-7548-1

Nicolas Salguero 2025-06-03 17:07:19 CEST

CVE: (none) => CVE-2023-52969, CVE-2023-52970, CVE-2023-52971, CVE-2025-30693, CVE-2025-30722
Source RPM: (none) => mariadb-11.7.2-5.mga10.src.rpm, mariadb-11.4.5-3.mga9.src.rpm
Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed upstream in 11.4.6 and 11.8.2

Comment 1 Marja Van Waes 2025-06-05 21:01:29 CEST

Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => mageia

Comment 2 Marc Krämer 2025-06-06 00:26:30 CEST

Updated mariadb package fix security vulnerabilities:
Some CVE's have been fixed, which could be used for priviledge escalation.

It also fixes many minor and major bugs, which could lead to database crash.
For details see release notes of version 11.4.6 and 11.4.7



References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52969
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52970
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52971
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30693
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30722
https://mariadb.com/kb/en/mariadb-11-4-7-release-notes/
https://mariadb.com/kb/en/mariadb-11-4-6-release-notes/
https://ubuntu.com/security/notices/USN-7548-1

Updates in core/updates_testing:
mariadb-extra-debuginfo-11.4.7-1.mga9
mariadb-s3-engine-11.4.7-1.mga9
mariadb-s3-engine-debuginfo-11.4.7-1.mga9
mariadb-connect-11.4.7-1.mga9
mariadb-spider-11.4.7-1.mga9
mariadb-bench-debuginfo-11.4.7-1.mga9
mariadb-spider-debuginfo-11.4.7-1.mga9
mariadb-feedback-debuginfo-11.4.7-1.mga9
mariadb-connect-debuginfo-11.4.7-1.mga9
mariadb-sphinx-debuginfo-11.4.7-1.mga9
mariadb-11.4.7-1.mga9
mariadb-obsolete-debuginfo-11.4.7-1.mga9
mariadb-common-core-11.4.7-1.mga9
lib64mariadb3-debuginfo-11.4.7-1.mga9
lib64mariadb3-11.4.7-1.mga9
mariadb-sequence-debuginfo-11.4.7-1.mga9
mariadb-pam-11.4.7-1.mga9
mariadb-extra-11.4.7-1.mga9
mariadb-sequence-11.4.7-1.mga9
mariadb-pam-debuginfo-11.4.7-1.mga9
mariadb-sphinx-11.4.7-1.mga9
mariadb-obsolete-11.4.7-1.mga9
lib64mariadb-devel-debuginfo-11.4.7-1.mga9
mysql-MariaDB-11.4.7-1.mga9
mariadb-feedback-11.4.7-1.mga9
mariadb-debuginfo-11.4.7-1.mga9
lib64mariadb-devel-11.4.7-1.mga9
mariadb-mroonga-11.4.7-1.mga9
mariadb-mroonga-debuginfo-11.4.7-1.mga9
mariadb-client-11.4.7-1.mga9
mariadb-client-debuginfo-11.4.7-1.mga9
lib64mariadbd19-11.4.7-1.mga9
mariadb-core-11.4.7-1.mga9
mariadb-rocks-11.4.7-1.mga9
lib64mariadb-embedded-devel-11.4.7-1.mga9
mariadb-common-11.4.7-1.mga9
mariadb-debugsource-11.4.7-1.mga9
lib64mariadbd19-debuginfo-11.4.7-1.mga9
mariadb-core-debuginfo-11.4.7-1.mga9
mariadb-bench-11.4.7-1.mga9
mariadb-common-debuginfo-11.4.7-1.mga9
lib64mariadb-embedded-devel-debuginfo-11.4.7-1.mga9
mariadb-rocks-debuginfo-11.4.7-1.mga9


SRPM:
mariadb-11.4.7-1.mga9.src.rpm

Assignee: mageia => qa-bugs

PC LX 2025-06-06 01:39:56 CEST

CC: (none) => mageia

Comment 3 Herman Viaene 2025-06-06 13:58:08 CEST

MGA9-64 Plasma Wayland on Compaq H000SB
No installation issue.
# systemctl start mysqld
[root@mach3 etc]# systemctl -l status mysqld
● mysqld.service - MariaDB database server
     Loaded: loaded (/usr/lib/systemd/system/mysqld.service; disabled; preset: disabled)
     Active: active (running) since Fri 2025-06-06 13:40:54 CEST; 16s ago
    Process: 75273 ExecStartPre=/usr/sbin/mariadb-prepare-db-dir (code=exited, status=0/SUCCESS)
   Main PID: 75287 (mysqld)
     Status: "Taking your SQL requests now..."
      Tasks: 21 (limit: 8806)
     Memory: 71.4M
        CPU: 16.598s
     CGroup: /system.slice/mysqld.service
             └─75287 /usr/sbin/mysqld

Jun 06 13:40:21 mach3.hviaene.thuis mysqld[75287]: 2025-06-06 13:40:21 0 [Note] InnoDB: log sequence number 166344; transaction id 148
Jun 06 13:40:21 mach3.hviaene.thuis mysqld[75287]: 2025-06-06 13:40:21 0 [Note] InnoDB: Loading buffer pool(s) from /var/lib/mysql/ib_buffer_pool
Jun 06 13:40:21 mach3.hviaene.thuis mysqld[75287]: 2025-06-06 13:40:21 0 [Note] CONNECT: Version 1.07.0002 March 22, 2021
Jun 06 13:40:21 mach3.hviaene.thuis mysqld[75287]: 250606 13:40:21 server_audit: MariaDB Audit Plugin version 1.4.14 STARTED.
Jun 06 13:40:21 mach3.hviaene.thuis mysqld[75287]: 250606 13:40:21 server_audit: Query cache is enabled with the TABLE events. Some table reads can be veile>
Jun 06 13:40:22 mach3.hviaene.thuis mysqld[75287]: 2025-06-06 13:40:22 0 [Note] InnoDB: Buffer pool(s) load completed at 250606 13:40:22
Jun 06 13:40:54 mach3.hviaene.thuis mysqld[75287]: 2025-06-06 13:40:54 0 [Note] mysqld: Event Scheduler: Loaded 0 events
Jun 06 13:40:54 mach3.hviaene.thuis mysqld[75287]: 2025-06-06 13:40:54 0 [Note] /usr/sbin/mysqld: ready for connections.
Jun 06 13:40:54 mach3.hviaene.thuis mysqld[75287]: Version: '11.4.7-MariaDB'  socket: '/var/lib/mysql/mysql.sock'  port: 0  Mageia MariaDB Server
Jun 06 13:40:54 mach3.hviaene.thuis systemd[1]: Started mysqld.service.

Deleted previous testdatabase, created new database with one table. consisting of 4 columns, a PK serial, a unique key and a timestamp.
Inserted a few values. All works OK.

CC: (none) => herman.viaene

katnatek 2025-06-07 03:21:34 CEST

Keywords: (none) => advisory

Comment 4 PC LX 2025-06-09 15:56:29 CEST

Installed and tested for 3 days without issues.

Tested with:
- mysql CLI;
- dbeaver-ce;
- PHP scripts (e.g. phpmyadmin, wordpress, drupal, roundcubemail, nextcloud);
- Qt6 applications using the QSqlMySql plugin driver;
- network access disabled, only using unix socket.
- systemd restricted service for improved security (see ).
All OK.



System: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz.


# uname -a
Linux marte 6.6.92-server-1.mga9 #1 SMP PREEMPT_DYNAMIC Thu May 22 19:00:17 UTC 2025 x86_64 GNU/Linux
# rpm -qa | grep mariadb | sort -u
lib64mariadb3-11.4.7-1.mga9
mariadb-11.4.7-1.mga9
mariadb-client-11.4.7-1.mga9
mariadb-common-11.4.7-1.mga9
mariadb-common-core-11.4.7-1.mga9
mariadb-core-11.4.7-1.mga9
mariadb-extra-11.4.7-1.mga9
# systemctl status mysqld.service 
● mysqld.service - MariaDB database server
     Loaded: loaded (/usr/lib/systemd/system/mysqld.service; enabled; preset: disabled)
    Drop-In: /etc/systemd/system/mysqld.service.d
             └─override.conf
     Active: active (running) since Mon 2025-06-09 10:00:15 WEST; 4h 51min ago
    Process: 1880095 ExecStartPre=/usr/sbin/mariadb-prepare-db-dir (code=exited, status=0/SUCCESS)
   Main PID: 1880109 (mysqld)
     Status: "Taking your SQL requests now..."
      Tasks: 17 (limit: 19018)
     Memory: 147.8M
        CPU: 13.318s
     CGroup: /system.slice/mysqld.service
             └─1880109 /usr/sbin/mysqld

jun 09 10:00:12 marte systemd[1]: Starting mysqld.service...
jun 09 10:00:12 marte mysqld[1880109]: /usr/sbin/mysqld: Deprecated program name. It will be removed in a future release, use '/usr/sbin/mariadbd' instead
jun 09 10:00:12 marte mysqld[1880109]: 2025-06-09 10:00:12 0 [Warning] failed to retrieve the MAC address
jun 09 10:00:15 marte systemd[1]: Started mysqld.service.

# cat /etc/systemd/system/mysqld.service.d/override.conf
# If "skip-networking" is set in the configuration then "AF_INET AF_INET6"
# should be removed from RestrictAddressFamilies and PrivateNetwork=should
# be set to "yes".

[Service]

PrivateNetwork=yes
PrivateUsers=yes
PrivateTmp=yes
PrivateDevices=yes
DevicePolicy=closed

UMask=0077
NoNewPrivileges=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RemoveIPC=yes

RestrictRealtime=yes
RestrictSUIDSGID=yes
RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX
#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

SystemCallArchitectures=native
SystemCallFilter=@system-service @chown
SystemCallFilter=~ @privileged @resources

ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectSystem=strict

AmbientCapabilities=
CapabilityBoundingSet=

StateDirectory=mysql
RuntimeDirectory=mysqld
LogsDirectory=mysqld

Comment 5 katnatek 2025-06-11 05:31:09 CEST

(In reply to PC LX from comment #4)
> Installed and tested for 3 days without issues.
> 
> Tested with:
> - mysql CLI;
> - dbeaver-ce;
> - PHP scripts (e.g. phpmyadmin, wordpress, drupal, roundcubemail, nextcloud);
> - Qt6 applications using the QSqlMySql plugin driver;
> - network access disabled, only using unix socket.
> - systemd restricted service for improved security (see ).
> All OK.
> 
> 
> 
> System: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz.
> 
> 
> # uname -a
> Linux marte 6.6.92-server-1.mga9 #1 SMP PREEMPT_DYNAMIC Thu May 22 19:00:17
> UTC 2025 x86_64 GNU/Linux
> # rpm -qa | grep mariadb | sort -u
> lib64mariadb3-11.4.7-1.mga9
> mariadb-11.4.7-1.mga9
> mariadb-client-11.4.7-1.mga9
> mariadb-common-11.4.7-1.mga9
> mariadb-common-core-11.4.7-1.mga9
> mariadb-core-11.4.7-1.mga9
> mariadb-extra-11.4.7-1.mga9
> # systemctl status mysqld.service 
> ● mysqld.service - MariaDB database server
>      Loaded: loaded (/usr/lib/systemd/system/mysqld.service; enabled;
> preset: disabled)
>     Drop-In: /etc/systemd/system/mysqld.service.d
>              └─override.conf
>      Active: active (running) since Mon 2025-06-09 10:00:15 WEST; 4h 51min
> ago
>     Process: 1880095 ExecStartPre=/usr/sbin/mariadb-prepare-db-dir
> (code=exited, status=0/SUCCESS)
>    Main PID: 1880109 (mysqld)
>      Status: "Taking your SQL requests now..."
>       Tasks: 17 (limit: 19018)
>      Memory: 147.8M
>         CPU: 13.318s
>      CGroup: /system.slice/mysqld.service
>              └─1880109 /usr/sbin/mysqld
> 
> jun 09 10:00:12 marte systemd[1]: Starting mysqld.service...
> jun 09 10:00:12 marte mysqld[1880109]: /usr/sbin/mysqld: Deprecated program
> name. It will be removed in a future release, use '/usr/sbin/mariadbd'
> instead
> jun 09 10:00:12 marte mysqld[1880109]: 2025-06-09 10:00:12 0 [Warning]
> failed to retrieve the MAC address
> jun 09 10:00:15 marte systemd[1]: Started mysqld.service.
> 
> # cat /etc/systemd/system/mysqld.service.d/override.conf
> # If "skip-networking" is set in the configuration then "AF_INET AF_INET6"
> # should be removed from RestrictAddressFamilies and PrivateNetwork=should
> # be set to "yes".
> 
> [Service]
> 
> PrivateNetwork=yes
> PrivateUsers=yes
> PrivateTmp=yes
> PrivateDevices=yes
> DevicePolicy=closed
> 
> UMask=0077
> NoNewPrivileges=yes
> LockPersonality=yes
> MemoryDenyWriteExecute=yes
> RemoveIPC=yes
> 
> RestrictRealtime=yes
> RestrictSUIDSGID=yes
> RestrictNamespaces=yes
> RestrictAddressFamilies=AF_UNIX
> #RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
> 
> SystemCallArchitectures=native
> SystemCallFilter=@system-service @chown
> SystemCallFilter=~ @privileged @resources
> 
> ProtectHome=yes
> ProtectHostname=yes
> ProtectKernelLogs=yes
> ProtectClock=yes
> ProtectControlGroups=yes
> ProtectKernelModules=yes
> ProtectKernelTunables=yes
> ProtectKernelLogs=yes
> ProtectSystem=strict
> 
> AmbientCapabilities=
> CapabilityBoundingSet=
> 
> StateDirectory=mysql
> RuntimeDirectory=mysqld
> LogsDirectory=mysqld

The last part is good, bad or neutral?

Comment 6 PC LX 2025-06-11 10:27:54 CEST

(In reply to katnatek from comment #5)
> The last part is good, bad or neutral?

It is good!

With Herman and my OK, giving it the OK for x86_64.

Whiteboard: MGA9TOO => MGA9TOO MGA9-64-OK

Comment 7 Thomas Andrews 2025-06-11 15:02:09 CEST

Validating for MGA9.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 8 Mageia Robot 2025-06-11 19:44:33 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0186.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.