Ubuntu
mariadb-10.5 package

CVE-2021-27928 et al affects MariaDB in Ubuntu

Bug #1926926 reported by Otto Kekäläinen
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mariadb-10.1 (Ubuntu)
Bionic
Fix Released
Medium
Unassigned
mariadb-10.3 (Ubuntu)
Focal
Fix Released
Medium
Unassigned
Groovy
Fix Released
Medium
Unassigned
mariadb-10.5 (Ubuntu)
Fix Released
Medium
Otto Kekäläinen
Hirsute
Fix Released
Medium
Unassigned
Impish
Fix Released
Medium
Otto Kekäläinen

Bug Description

According to https://mariadb.com/kb/en/security/ the issue CVE-2021-27928 applies for MariaDB 10.5.9 and MariaDB 10.3.28 in Ubuntu. According to Debian LTS team it also applies to MariaDB 10.1 and there is a version specific patch available.

I am working on updates for all maintained Ubuntu versions for MariaDB:
- mariadb-10.1 in Bionic
- mariadb-10.3 in Focal
- mariadb-10.3 in Groovy
- mariadb-10.5 in Hirsute

MariaDB 10.5 in Impish will automatically import the new version from Debian Sid once available.

Security sponsor note this: https://wiki.ubuntu.com/SecurityTeam/PublicationNotes#Sponsoring_MariaDB_Security_Updates

Otto Kekäläinen (otto)
Changed in mariadb-10.1 (Ubuntu):
assignee: nobody → Otto Kekäläinen (otto)
Changed in mariadb-10.5 (Ubuntu):
assignee: nobody → Otto Kekäläinen (otto)
no longer affects: mariadb-10.1 (Ubuntu Focal)
no longer affects: mariadb-10.1 (Ubuntu Groovy)
no longer affects: mariadb-10.1 (Ubuntu Hirsute)
no longer affects: mariadb-10.1 (Ubuntu Impish)
no longer affects: mariadb-10.3 (Ubuntu Bionic)
no longer affects: mariadb-10.3 (Ubuntu Hirsute)
no longer affects: mariadb-10.3 (Ubuntu Impish)
no longer affects: mariadb-10.5 (Ubuntu Bionic)
no longer affects: mariadb-10.5 (Ubuntu Focal)
no longer affects: mariadb-10.5 (Ubuntu Groovy)
Revision history for this message
Otto Kekäläinen (otto) wrote :

The 10.1 series update for 18.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-18.04 branch at https://salsa.debian.org/mariadb-team/mariadb-10.1/tree/ubuntu-18.04

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.1/+builds?build_text=&build_state=all

Debdiffs can be created directly from the repo like in a local clone with 'git diff <tag1>..<tag2> debian/'

Mathew Hodson (mhodson)
no longer affects: mariadb-10.3 (Ubuntu)
no longer affects: mariadb-10.1 (Ubuntu)
Changed in mariadb-10.1 (Ubuntu Bionic):
importance: Undecided → Medium
Changed in mariadb-10.3 (Ubuntu Focal):
importance: Undecided → Medium
Changed in mariadb-10.3 (Ubuntu Groovy):
importance: Undecided → Medium
Changed in mariadb-10.5 (Ubuntu Hirsute):
importance: Undecided → Medium
Changed in mariadb-10.5 (Ubuntu Impish):
importance: Undecided → Medium
Revision history for this message
Otto Kekäläinen (otto) wrote :

changelog:

mariadb-10.1 (1:10.1.48-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.1.48 includes fixes for the
    following security vulnerabilities (LP: #1926926):
    - CVE-2020-14765
    - CVE-2020-14812
    - CVE-2020-28912
  * Additional backported fix for CVE-2021-27928:
    - Make @@wsrep_provider and @@wsrep_notify_cmd read-only

Revision history for this message
Otto Kekäläinen (otto) wrote :

The 10.3 series update for 20.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-20.04 branch at https://salsa.debian.org/mariadb-team/mariadb-10.3/tree/ubuntu-20.04

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.3/+builds?build_text=&build_state=all

Debdiffs can be created directly from the repo like in a local clone with 'git diff <tag1>..<tag2> debian/'

Changelog:

mariadb-10.3 (1:10.3.29-0ubuntu0.20.04.1) focal-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.3.29 includes fixes for the
    following security vulnerabilities (LP: #1926926):
    - CVE-2021-2154
    - CVE-2021-2166
  * Previous release 10.3.28 included fixes for:
    - CVE-2021-27928
  * Previous release 10.3.26 included fixes for:
    - CVE-2020-14765
    - CVE-2020-14776
    - CVE-2020-14789
    - CVE-2020-14812
    - CVE-2020-28912
    - CVE-2021-2194
  * Previous release 10.3.24 included fixes for:
    - CVE-2021-2022
  * Drop patch obsoleted by test file removal in upstream (MDEV-22653)
  * Drop file removed upstream (MDEV-24586)
  * Update symbols to include new one from MariaDB Client 3.1.13

Revision history for this message
Otto Kekäläinen (otto) wrote :

The 10.3 series update for 20.10 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-20.10 branch at https://salsa.debian.org/mariadb-team/mariadb-10.3/tree/ubuntu-20.10

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.3/+builds?build_text=&build_state=all

Debdiffs can be created directly from the repo like in a local clone with 'git diff <tag1>..<tag2> debian/'

Changelog:

mariadb-10.3 (1:10.3.29-0ubuntu0.20.10.1) groovy-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.3.29 includes fixes for the
    following security vulnerabilities (LP: #1926926):
    - CVE-2021-2154
    - CVE-2021-2166
  * Previous release 10.3.28 included fixes for:
    - CVE-2021-27928
  * Previous release 10.3.26 included fixes for:
    - CVE-2020-14765
    - CVE-2020-14776
    - CVE-2020-14789
    - CVE-2020-14812
    - CVE-2020-28912
    - CVE-2021-2194
  * Previous release 10.3.24 included fixes for:
    - CVE-2021-2022
  * Drop --libmysqld-libs patcha applied upstream
  * Drop patch obsoleted by test file removal in upstream (MDEV-22653)
  * Drop file removed upstream (MDEV-24586)
  * Update symbols to include new one from MariaDB Client 3.1.13

Revision history for this message
Otto Kekäläinen (otto) wrote :

The 10.5 series update for 21.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-21.04 branch at https://salsa.debian.org/mariadb-team/mariadb-10.5/tree/ubuntu-21.04

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.5/+builds?build_text=&build_state=all

Debdiffs can be created directly from the repo like in a local clone with 'git diff <tag1>..<tag2> debian/'

Changelog:

mariadb-10.5 (1:10.5.10-0ubuntu0.21.04.1) hirsute-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.5.10 includes fixes for the
    following security vulnerabilities (LP: #1926926):
    - CVE-2021-2154
    - CVE-2021-2166
  * Previous release 10.5.9 included security fixes additionally for:
    - CVE-2021-27928
  * Previous release 10.5.7 included security fixes additionally for:
    - CVE-2021-2194
  * Previous release 10.5.5 included security fixes additionally for:
    - CVE-2021-2022
  * Drop riscv64 patch applied upstream
  * Drop spelling fixes applied upstream
  * Update symbols to include new one from MariaDB Client 3.1.13
  * Remove obsolete sql file removed by upstream (MDEV-24586)
  * Remove salsa-ci.yml, does not work for Ubuntu quality assurance

Revision history for this message
Otto Kekäläinen (otto) wrote :

You might want to consider issuing a USN for these updates as well.

Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

Thanks a bunch @otto!!
I'll issue an USN for it asap.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.3 - 1:10.3.29-0ubuntu0.20.10.1

---------------
mariadb-10.3 (1:10.3.29-0ubuntu0.20.10.1) groovy-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.3.29 includes fixes for the
    following security vulnerabilities (LP: #1926926):
    - CVE-2021-2154
    - CVE-2021-2166
  * Previous release 10.3.28 included fixes for:
    - CVE-2021-27928
  * Previous release 10.3.26 included fixes for:
    - CVE-2020-14765
    - CVE-2020-14776
    - CVE-2020-14789
    - CVE-2020-14812
    - CVE-2020-28912
    - CVE-2021-2194
  * Previous release 10.3.24 included fixes for:
    - CVE-2021-2022
  * Drop --libmysqld-libs patcha applied upstream
  * Drop patch obsoleted by test file removal in upstream (MDEV-22653)
  * Drop file removed upstream (MDEV-24586)
  * Update symbols to include new one from MariaDB Client 3.1.13

 -- Otto Kekäläinen <email address hidden> Sun, 09 May 2021 13:47:12 -0700

Changed in mariadb-10.3 (Ubuntu Groovy):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.3 - 1:10.3.29-0ubuntu0.20.04.1

---------------
mariadb-10.3 (1:10.3.29-0ubuntu0.20.04.1) focal-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.3.29 includes fixes for the
    following security vulnerabilities (LP: #1926926):
    - CVE-2021-2154
    - CVE-2021-2166
  * Previous release 10.3.28 included fixes for:
    - CVE-2021-27928
  * Previous release 10.3.26 included fixes for:
    - CVE-2020-14765
    - CVE-2020-14776
    - CVE-2020-14789
    - CVE-2020-14812
    - CVE-2020-28912
    - CVE-2021-2194
  * Previous release 10.3.24 included fixes for:
    - CVE-2021-2022
  * Drop patch obsoleted by test file removal in upstream (MDEV-22653)
  * Drop file removed upstream (MDEV-24586)
  * Update symbols to include new one from MariaDB Client 3.1.13

 -- Otto Kekäläinen <email address hidden> Sun, 09 May 2021 11:20:31 -0700

Changed in mariadb-10.3 (Ubuntu Focal):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.1 - 1:10.1.48-0ubuntu0.18.04.1

---------------
mariadb-10.1 (1:10.1.48-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.1.48 includes fixes for the
    following security vulnerabilities (LP: #1926926):
    - CVE-2020-14765
    - CVE-2020-14812
    - CVE-2020-28912
  * Additional backported fix for CVE-2021-27928:
    - Make @@wsrep_provider and @@wsrep_notify_cmd read-only

 -- Otto Kekäläinen <email address hidden> Sun, 02 May 2021 18:40:30 -0700

Changed in mariadb-10.1 (Ubuntu Bionic):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.5 - 1:10.5.10-0ubuntu0.21.04.1

---------------
mariadb-10.5 (1:10.5.10-0ubuntu0.21.04.1) hirsute-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.5.10 includes fixes for the
    following security vulnerabilities (LP: #1926926):
    - CVE-2021-2154
    - CVE-2021-2166
  * Previous release 10.5.9 included security fixes additionally for:
    - CVE-2021-27928
  * Previous release 10.5.7 included security fixes additionally for:
    - CVE-2021-2194
  * Previous release 10.5.5 included security fixes additionally for:
    - CVE-2021-2022
  * Drop riscv64 patch applied upstream
  * Drop spelling fixes applied upstream
  * Update symbols to include new one from MariaDB Client 3.1.13
  * Remove obsolete sql file removed by upstream (MDEV-24586)
  * Remove salsa-ci.yml, does not work for Ubuntu quality assurance

 -- Otto Kekäläinen <email address hidden> Sun, 09 May 2021 10:49:34 -0700

Changed in mariadb-10.5 (Ubuntu Hirsute):
status: New → Fix Released
Steve Beattie (sbeattie)
Changed in mariadb-10.5 (Ubuntu Impish):
status: New → Confirmed
Revision history for this message
Mathew Hodson (mhodson) wrote :

This bug was fixed in the package mariadb-10.5 - 1:10.5.10-1

---------------
mariadb-10.5 (1:10.5.10-1) unstable; urgency=medium

  [ Otto Kekäläinen ]
  * New upstream version 10.5.10. Includes security fixes for (Closes: #988428):
    - CVE-2021-2154
    - CVE-2021-2166
  * Previous release 10.5.9 included security fixes additionally for:
    - CVE-2021-27928
  * Previous release 10.5.7 included security fixes additionally for:
    - CVE-2021-2194
  * Previous release 10.5.5 included security fixes additionally for:
    - CVE-2021-2022
  * Update symbols to include new one from MariaDB Client 3.1.13
  * Misc Salsa-CI fixes for better QA
  * Innotop: Add support for MariaDB 10.5+ (Closes: #941986)
  * Bugfix: Ensure upstream 1556 patch is included fully (Closes: 987231)
  * Bugfix: Don't create /usr/share/mysql/*.flag files (Closes: #985870)
  * Misc spelling fixes

  [ Glenn Strauss ]
  * Mark systemd files [linux-any] in debian/*.install

  [ Arnaud Rebillout ]
  * Fix postinst trigger when systemd is not running (Closes: #983563)

  [ Faustin Lammler ]
  * GitLab CI now supports timeout for specific jobs

 -- Otto Kekäläinen <email address hidden> Sun, 16 May 2021 11:36:38 -0700

Changed in mariadb-10.5 (Ubuntu Impish):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.