CVE-2021-27928 et al affects MariaDB in Ubuntu

Bug #1926926 reported by Otto Kekäläinen on 2021-05-02
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mariadb-10.1 (Ubuntu)
Bionic
Medium
Unassigned
mariadb-10.3 (Ubuntu)
Focal
Medium
Unassigned
Groovy
Medium
Unassigned
mariadb-10.5 (Ubuntu)
Status tracked in Impish
Hirsute
Medium
Unassigned
Impish
Medium
Otto Kekäläinen

Bug Description

According to https://mariadb.com/kb/en/security/ the issue CVE-2021-27928 applies for MariaDB 10.5.9 and MariaDB 10.3.28 in Ubuntu. According to Debian LTS team it also applies to MariaDB 10.1 and there is a version specific patch available.

I am working on updates for all maintained Ubuntu versions for MariaDB:
- mariadb-10.1 in Bionic
- mariadb-10.3 in Focal
- mariadb-10.3 in Groovy
- mariadb-10.5 in Hirsute

MariaDB 10.5 in Impish will automatically import the new version from Debian Sid once available.

Security sponsor note this: https://wiki.ubuntu.com/SecurityTeam/PublicationNotes#Sponsoring_MariaDB_Security_Updates

Otto Kekäläinen (otto) on 2021-05-02
Changed in mariadb-10.1 (Ubuntu):
assignee: nobody → Otto Kekäläinen (otto)
Changed in mariadb-10.5 (Ubuntu):
assignee: nobody → Otto Kekäläinen (otto)
no longer affects: mariadb-10.1 (Ubuntu Focal)
no longer affects: mariadb-10.1 (Ubuntu Groovy)
no longer affects: mariadb-10.1 (Ubuntu Hirsute)
no longer affects: mariadb-10.1 (Ubuntu Impish)
no longer affects: mariadb-10.3 (Ubuntu Bionic)
no longer affects: mariadb-10.3 (Ubuntu Hirsute)
no longer affects: mariadb-10.3 (Ubuntu Impish)
no longer affects: mariadb-10.5 (Ubuntu Bionic)
no longer affects: mariadb-10.5 (Ubuntu Focal)
no longer affects: mariadb-10.5 (Ubuntu Groovy)
Otto Kekäläinen (otto) wrote :

The 10.1 series update for 18.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-18.04 branch at https://salsa.debian.org/mariadb-team/mariadb-10.1/tree/ubuntu-18.04

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.1/+builds?build_text=&build_state=all

Debdiffs can be created directly from the repo like in a local clone with 'git diff <tag1>..<tag2> debian/'

Mathew Hodson (mhodson) on 2021-05-05
no longer affects: mariadb-10.3 (Ubuntu)
no longer affects: mariadb-10.1 (Ubuntu)
Changed in mariadb-10.1 (Ubuntu Bionic):
importance: Undecided → Medium
Changed in mariadb-10.3 (Ubuntu Focal):
importance: Undecided → Medium
Changed in mariadb-10.3 (Ubuntu Groovy):
importance: Undecided → Medium
Changed in mariadb-10.5 (Ubuntu Hirsute):
importance: Undecided → Medium
Changed in mariadb-10.5 (Ubuntu Impish):
importance: Undecided → Medium
Otto Kekäläinen (otto) wrote :

changelog:

mariadb-10.1 (1:10.1.48-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.1.48 includes fixes for the
    following security vulnerabilities (LP: #1926926):
    - CVE-2020-14765
    - CVE-2020-14812
    - CVE-2020-28912
  * Additional backported fix for CVE-2021-27928:
    - Make @@wsrep_provider and @@wsrep_notify_cmd read-only

Otto Kekäläinen (otto) wrote :

The 10.3 series update for 20.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-20.04 branch at https://salsa.debian.org/mariadb-team/mariadb-10.3/tree/ubuntu-20.04

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.3/+builds?build_text=&build_state=all

Debdiffs can be created directly from the repo like in a local clone with 'git diff <tag1>..<tag2> debian/'

Changelog:

mariadb-10.3 (1:10.3.29-0ubuntu0.20.04.1) focal-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.3.29 includes fixes for the
    following security vulnerabilities (LP: #1926926):
    - CVE-2021-2154
    - CVE-2021-2166
  * Previous release 10.3.28 included fixes for:
    - CVE-2021-27928
  * Previous release 10.3.26 included fixes for:
    - CVE-2020-14765
    - CVE-2020-14776
    - CVE-2020-14789
    - CVE-2020-14812
    - CVE-2020-28912
    - CVE-2021-2194
  * Previous release 10.3.24 included fixes for:
    - CVE-2021-2022
  * Drop patch obsoleted by test file removal in upstream (MDEV-22653)
  * Drop file removed upstream (MDEV-24586)
  * Update symbols to include new one from MariaDB Client 3.1.13

Otto Kekäläinen (otto) wrote :

The 10.3 series update for 20.10 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-20.10 branch at https://salsa.debian.org/mariadb-team/mariadb-10.3/tree/ubuntu-20.10

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.3/+builds?build_text=&build_state=all

Debdiffs can be created directly from the repo like in a local clone with 'git diff <tag1>..<tag2> debian/'

Changelog:

mariadb-10.3 (1:10.3.29-0ubuntu0.20.10.1) groovy-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.3.29 includes fixes for the
    following security vulnerabilities (LP: #1926926):
    - CVE-2021-2154
    - CVE-2021-2166
  * Previous release 10.3.28 included fixes for:
    - CVE-2021-27928
  * Previous release 10.3.26 included fixes for:
    - CVE-2020-14765
    - CVE-2020-14776
    - CVE-2020-14789
    - CVE-2020-14812
    - CVE-2020-28912
    - CVE-2021-2194
  * Previous release 10.3.24 included fixes for:
    - CVE-2021-2022
  * Drop --libmysqld-libs patcha applied upstream
  * Drop patch obsoleted by test file removal in upstream (MDEV-22653)
  * Drop file removed upstream (MDEV-24586)
  * Update symbols to include new one from MariaDB Client 3.1.13

Otto Kekäläinen (otto) wrote :

The 10.5 series update for 21.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-21.04 branch at https://salsa.debian.org/mariadb-team/mariadb-10.5/tree/ubuntu-21.04

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.5/+builds?build_text=&build_state=all

Debdiffs can be created directly from the repo like in a local clone with 'git diff <tag1>..<tag2> debian/'

Changelog:

mariadb-10.5 (1:10.5.10-0ubuntu0.21.04.1) hirsute-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.5.10 includes fixes for the
    following security vulnerabilities (LP: #1926926):
    - CVE-2021-2154
    - CVE-2021-2166
  * Previous release 10.5.9 included security fixes additionally for:
    - CVE-2021-27928
  * Previous release 10.5.7 included security fixes additionally for:
    - CVE-2021-2194
  * Previous release 10.5.5 included security fixes additionally for:
    - CVE-2021-2022
  * Drop riscv64 patch applied upstream
  * Drop spelling fixes applied upstream
  * Update symbols to include new one from MariaDB Client 3.1.13
  * Remove obsolete sql file removed by upstream (MDEV-24586)
  * Remove salsa-ci.yml, does not work for Ubuntu quality assurance

Otto Kekäläinen (otto) wrote :

You might want to consider issuing a USN for these updates as well.

Leonidas S. Barbosa (leosilvab) wrote :

Thanks a bunch @otto!!
I'll issue an USN for it asap.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.3 - 1:10.3.29-0ubuntu0.20.10.1

---------------
mariadb-10.3 (1:10.3.29-0ubuntu0.20.10.1) groovy-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.3.29 includes fixes for the
    following security vulnerabilities (LP: #1926926):
    - CVE-2021-2154
    - CVE-2021-2166
  * Previous release 10.3.28 included fixes for:
    - CVE-2021-27928
  * Previous release 10.3.26 included fixes for:
    - CVE-2020-14765
    - CVE-2020-14776
    - CVE-2020-14789
    - CVE-2020-14812
    - CVE-2020-28912
    - CVE-2021-2194
  * Previous release 10.3.24 included fixes for:
    - CVE-2021-2022
  * Drop --libmysqld-libs patcha applied upstream
  * Drop patch obsoleted by test file removal in upstream (MDEV-22653)
  * Drop file removed upstream (MDEV-24586)
  * Update symbols to include new one from MariaDB Client 3.1.13

 -- Otto Kekäläinen <email address hidden> Sun, 09 May 2021 13:47:12 -0700

Changed in mariadb-10.3 (Ubuntu Groovy):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.3 - 1:10.3.29-0ubuntu0.20.04.1

---------------
mariadb-10.3 (1:10.3.29-0ubuntu0.20.04.1) focal-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.3.29 includes fixes for the
    following security vulnerabilities (LP: #1926926):
    - CVE-2021-2154
    - CVE-2021-2166
  * Previous release 10.3.28 included fixes for:
    - CVE-2021-27928
  * Previous release 10.3.26 included fixes for:
    - CVE-2020-14765
    - CVE-2020-14776
    - CVE-2020-14789
    - CVE-2020-14812
    - CVE-2020-28912
    - CVE-2021-2194
  * Previous release 10.3.24 included fixes for:
    - CVE-2021-2022
  * Drop patch obsoleted by test file removal in upstream (MDEV-22653)
  * Drop file removed upstream (MDEV-24586)
  * Update symbols to include new one from MariaDB Client 3.1.13

 -- Otto Kekäläinen <email address hidden> Sun, 09 May 2021 11:20:31 -0700

Changed in mariadb-10.3 (Ubuntu Focal):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.1 - 1:10.1.48-0ubuntu0.18.04.1

---------------
mariadb-10.1 (1:10.1.48-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.1.48 includes fixes for the
    following security vulnerabilities (LP: #1926926):
    - CVE-2020-14765
    - CVE-2020-14812
    - CVE-2020-28912
  * Additional backported fix for CVE-2021-27928:
    - Make @@wsrep_provider and @@wsrep_notify_cmd read-only

 -- Otto Kekäläinen <email address hidden> Sun, 02 May 2021 18:40:30 -0700

Changed in mariadb-10.1 (Ubuntu Bionic):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.5 - 1:10.5.10-0ubuntu0.21.04.1

---------------
mariadb-10.5 (1:10.5.10-0ubuntu0.21.04.1) hirsute-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.5.10 includes fixes for the
    following security vulnerabilities (LP: #1926926):
    - CVE-2021-2154
    - CVE-2021-2166
  * Previous release 10.5.9 included security fixes additionally for:
    - CVE-2021-27928
  * Previous release 10.5.7 included security fixes additionally for:
    - CVE-2021-2194
  * Previous release 10.5.5 included security fixes additionally for:
    - CVE-2021-2022
  * Drop riscv64 patch applied upstream
  * Drop spelling fixes applied upstream
  * Update symbols to include new one from MariaDB Client 3.1.13
  * Remove obsolete sql file removed by upstream (MDEV-24586)
  * Remove salsa-ci.yml, does not work for Ubuntu quality assurance

 -- Otto Kekäläinen <email address hidden> Sun, 09 May 2021 10:49:34 -0700

Changed in mariadb-10.5 (Ubuntu Hirsute):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers