StarlingX

[Debian] CVE: CVE-2021-46669/CVE-2022-27376/CVE-2022-27377...CVE-2022-32089/CVE-2022-32091: mariadb: multiple CVEs

Bug #2002281 reported by Yue Tao on 2023-01-09

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Critical	Yue Tao

Bug Description

CVE-2021-46669: https://nvd.nist.gov/vuln/detail/CVE-2021-46669

CVE-2022-27376: https://nvd.nist.gov/vuln/detail/CVE-2022-27376

CVE-2022-27377: https://nvd.nist.gov/vuln/detail/CVE-2022-27377

CVE-2022-27378: https://nvd.nist.gov/vuln/detail/CVE-2022-27378

CVE-2022-27379: https://nvd.nist.gov/vuln/detail/CVE-2022-27379

CVE-2022-27380: https://nvd.nist.gov/vuln/detail/CVE-2022-27380

CVE-2022-27381: https://nvd.nist.gov/vuln/detail/CVE-2022-27381

CVE-2022-27382: https://nvd.nist.gov/vuln/detail/CVE-2022-27382

CVE-2022-27383: https://nvd.nist.gov/vuln/detail/CVE-2022-27383

CVE-2022-27384: https://nvd.nist.gov/vuln/detail/CVE-2022-27384

CVE-2022-27386: https://nvd.nist.gov/vuln/detail/CVE-2022-27386

CVE-2022-27387: https://nvd.nist.gov/vuln/detail/CVE-2022-27387

CVE-2022-27444: https://nvd.nist.gov/vuln/detail/CVE-2022-27444

CVE-2022-27445: https://nvd.nist.gov/vuln/detail/CVE-2022-27445

CVE-2022-27446: https://nvd.nist.gov/vuln/detail/CVE-2022-27446

CVE-2022-27447: https://nvd.nist.gov/vuln/detail/CVE-2022-27447

CVE-2022-27448: https://nvd.nist.gov/vuln/detail/CVE-2022-27448

CVE-2022-27449: https://nvd.nist.gov/vuln/detail/CVE-2022-27449

CVE-2022-27451: https://nvd.nist.gov/vuln/detail/CVE-2022-27451

CVE-2022-27452: https://nvd.nist.gov/vuln/detail/CVE-2022-27452

CVE-2022-27455: https://nvd.nist.gov/vuln/detail/CVE-2022-27455

CVE-2022-27456: https://nvd.nist.gov/vuln/detail/CVE-2022-27456

CVE-2022-27457: https://nvd.nist.gov/vuln/detail/CVE-2022-27457

CVE-2022-27458: https://nvd.nist.gov/vuln/detail/CVE-2022-27458

CVE-2022-32081: https://nvd.nist.gov/vuln/detail/CVE-2022-32081

CVE-2022-32082: https://nvd.nist.gov/vuln/detail/CVE-2022-32082

CVE-2022-32083: https://nvd.nist.gov/vuln/detail/CVE-2022-32083

CVE-2022-32084: https://nvd.nist.gov/vuln/detail/CVE-2022-32084

CVE-2022-32085: https://nvd.nist.gov/vuln/detail/CVE-2022-32085

CVE-2022-32086: https://nvd.nist.gov/vuln/detail/CVE-2022-32086

CVE-2022-32087: https://nvd.nist.gov/vuln/detail/CVE-2022-32087

CVE-2022-32088: https://nvd.nist.gov/vuln/detail/CVE-2022-32088

CVE-2022-32089: https://nvd.nist.gov/vuln/detail/CVE-2022-32089

CVE-2022-32091: https://nvd.nist.gov/vuln/detail/CVE-2022-32091

Score:
cve_id status cvss3Score av ac pr ui ai
CVE-2021-46669 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-27376 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-27377 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-27378 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-27379 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-27380 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-27381 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-27382 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-27383 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-27384 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-27386 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-27387 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-27444 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-27445 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-27446 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-27447 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-27448 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-27449 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-27451 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-27452 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-27455 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-27456 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-27457 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-27458 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-32081 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-32082 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-32083 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-32084 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-32085 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-32086 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-32087 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-32088 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-32089 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-32091 fixed 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

['libmariadb3_1:10.5.15-0+deb11u1_amd64.deb===>libmariadb3_10.5.18-0+deb11u1_amd64.deb', 'mariadb-common_1:10.5.15-0+deb11u1_all.deb===>mariadb-common_10.5.18-0+deb11u1_all.deb']

Found during December 2022 CVE scan using vulscan

Tags:

CVE References

Yue Tao (wrytao) on 2023-01-09

Changed in starlingx:
status:	New → Triaged
importance:	Undecided → Critical
assignee:	nobody → Yue Tao (wrytao)
information type:	Public → Public Security
tags:	added: stx.8.0 stx.security

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-01-16: Fix proposed to tools (master)

#1

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/870488

Changed in starlingx:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-01-25: Fix merged to tools (master)

#2

Reviewed: https://review.opendev.org/c/starlingx/tools/+/870488
Committed: https://opendev.org/starlingx/tools/commit/3e3f69d622fff57162dbf91c503d8d3767aaf5ec
Submitter: "Zuul (22348)"
Branch: master

commit 3e3f69d622fff57162dbf91c503d8d3767aaf5ec
Author: Wentao Zhang <email address hidden>
Date: Mon Jan 16 13:24:16 2023 +0800

Debian: mariadb: fix 34 CVEs

Upgrade mariadb to 1:10.3.36-0+deb10u2 to fix 34 CVEs:

    CVE-2021-46669
    CVE-2022-27376
    CVE-2022-27377
    CVE-2022-27378
    CVE-2022-27379
    CVE-2022-27380
    CVE-2022-27381
    CVE-2022-27382
    CVE-2022-27383
    CVE-2022-27384
    CVE-2022-27386
    CVE-2022-27387
    CVE-2022-27444
    CVE-2022-27445
    CVE-2022-27446
    CVE-2022-27447
    CVE-2022-27448
    CVE-2022-27449
    CVE-2022-27451
    CVE-2022-27452
    CVE-2022-27455
    CVE-2022-27456
    CVE-2022-27457
    CVE-2022-27458
    CVE-2022-32081
    CVE-2022-32082
    CVE-2022-32083
    CVE-2022-32084
    CVE-2022-32085
    CVE-2022-32086
    CVE-2022-32087
    CVE-2022-32088
    CVE-2022-32089
    CVE-2022-32091

Refer to:
https://security-tracker.debian.org/tracker/DLA-3114-1

Test Plan:
PASS: build-pkgs --clean --all && build-image

Closes-Bug: 2002281

Signed-off-by: Wentao Zhang <email address hidden>
Change-Id: I0419e13d8c7e54c58f7f62a56bd34c15d2f8305c

Changed in starlingx:
status:	In Progress → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.