Ubuntu
mariadb package

CVE-2024-21096 et al affects MariaDB in Ubuntu

Bug #2067125 reported by Otto Kekäläinen on 2024-05-25

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	mariadb (Ubuntu)	New	Undecided	Otto Kekäläinen

Bug Description

According to https://mariadb.com/kb/en/security/ the latest minor MariaDB releases include security fixes.

I am working on updates for all maintained Ubuntu versions for MariaDB:
- mariadb-10.6 in Jammy
- mariadb (10.11) in Mantic
- mariadb (10.11) in Noble

MariaDB 10.11 in Oracular will automatically import the new version from Debian Sid once Ubuntu maintainers drop the delta and sync.

Jammy has MariaDB 10.3 which is out of support by upstream and has no new version (at least no public one).

Security sponsor note this: https://wiki.ubuntu.com/SecurityTeam/PublicationNotes#Sponsoring_MariaDB_Security_Updates

Revision history for this message

Otto Kekäläinen (otto) wrote on 2024-05-25:

#1

Unlike previous times such as LP#2045452, this time I am trying a new way to ask for review at https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/82 (Prepare MariaDB Server 1:10.11.8-0ubuntu0.24.04.1 for upload to Ubuntu)

Revision history for this message

Otto Kekäläinen (otto) wrote on 2024-05-25:

#2

https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/83 (Prepare MariaDB Server 1:10.11.8-0ubuntu0.23.10.1 for upload to Ubuntu)

Revision history for this message

Otto Kekäläinen (otto) wrote on 2024-05-26:

#3

https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/84 (Prepare MariaDB Server 1:10.6.18-0ubuntu0.22.04.1 for upload to Ubuntu)

Let's focus on the review (and fixes) in the first MR!82 first, and only after it is uploaded and everything went fine proceed with the two others.

Revision history for this message

Eduardo Barretto (ebarretto) wrote on 2024-05-27:

#4

Hi Otto,

Thanks for preparing the updates!
I will be taking a look at the PRs between today and tomorrow

Revision history for this message

Eduardo Barretto (ebarretto) wrote on 2024-05-30:

#5

Hey Otto,

sorry for the delay, the branches look good, and I could successfully build the package and check the diff with the PR, but I again had to bypass that issue with gbp not generating the orig tarball correctly.
I'm investigating this issue a bit more to see what is going on.

Revision history for this message

Otto Kekäläinen (otto) wrote on 2024-06-06:

#6

Eduardo, old notes about xdelta3/pristine-tar incompatibility in https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/326.

Do you have any feedback about the import otherwise? I could update and finalize it content-wise.

Revision history for this message

Eduardo Barretto (ebarretto) wrote on 2024-06-11:

#7

Hey Otto,

sorry, I was off for a few days. So should I go ahead with the sponsor or do you want to merge things first? Either work well for me and I can continue with the sponsoring this week still.

Revision history for this message

Otto Kekäläinen (otto) wrote on 2024-06-11: Re: [Bug 2067125] Re: CVE-2024-21096 et al affects MariaDB in Ubuntu

#8

I was waiting for some feedback. If you have none, I will merge as-is.

Revision history for this message

Eduardo Barretto (ebarretto) wrote on 2024-06-12:

#9

Hi Otto, all look good, if you are ok I will proceed with the sponsoring

Otto Kekäläinen (otto) 16 hours ago

affects:

mariadb-10.3 (Ubuntu) → mariadb (Ubuntu)

Revision history for this message

Otto Kekäläinen (otto) wrote 7 hours ago (last edit 7 hours ago):

#10

The above MRs have been merged without further commits. We are aware that there still is an issue with pristine-tar/xdelta3 version compatibilities (https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/326) and we know that Ubuntu-specific autopkgtests can't be triggered for testing anymore (https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/83). Neither is a sign of a regression in the release itself nor a reason to postpone delivering these security updates to users.

If you have permissions to trigger autopkgtests, please open link https://autopkgtest.ubuntu.com/request.cgi?release=mantic&arch=amd64&package=mariadb&ppa=mysql-ubuntu/mariadb-10.11&trigger=mariadb/1:10.11.8-0ubuntu0.23.10.1~bpo23.10.1~1718530712.65e173d159a%2Bubuntu.23.10.mantic

MariaDB 10.6.18 for Ubuntu Jammy is ready at https://salsa.debian.org/mariadb-team/mariadb-server/-/commits/ubuntu-22.04 and builds pass at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.6/+builds?build_text=&build_state=all

MariaDB 10.11.8 for Ubuntu Mantic is ready at https://salsa.debian.org/mariadb-team/mariadb-server/-/commits/ubuntu-23.10 and builds pass at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.11/+builds?build_text=&build_state=all

MariaDB 10.11.8 for Ubuntu Noble is ready at https://salsa.debian.org/mariadb-team/mariadb-server/-/commits/ubuntu-24.04

If you find any issues, let me know and I will add commits to fix them.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

auto-salsa.debian.org-salsa-ci-team-pipeline-- #326
[opened Bug] Edit

Bug watches keep track of this bug in other bug trackers.