CVE-2021-35604 affects MariaDB in Ubuntu

The 10.3 series update for 20.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-20.04 branch at https://salsa.debian.org/mariadb-team/mariadb-10.3/tree/ubuntu-20.04

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.3/+builds?build_text=&build_state=all

Debdiffs can be created directly from the repo like in a local clone with 'git diff <tag1>..<tag2> debian/'

Changelog:

mariadb-10.3 (1:10.3.32-0ubuntu0.20.04.1) focal-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.3.32 includes fixes for the
    following security vulnerabilities (LP: #1951709):
    - CVE-2021-35604
  * Upstream issue MDEV-25114 about Galera WSREP invalid state
    fixed (Closes: #989898)

 -- Otto Kekäläinen <email address hidden> Sat, 20 Nov 2021 16:08:18 -0800

The 10.5 series update for 21.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-21.04 branch at https://salsa.debian.org/mariadb-team/mariadb-10.5/tree/ubuntu-21.04

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.5/+builds?build_text=&build_state=all

Debdiffs can be created directly from the repo like in a local clone with 'git diff <tag1>..<tag2> debian/'

Changelog:

mariadb-10.5 (1:10.5.13-0ubuntu0.21.04.1) hirsute-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.5.13 includes fixes for the
    following security vulnerabilities (LP: #1951709):
    - CVE-2021-35604
  * Drop MIPS and libatomic patches applied now upstream

 -- Otto Kekäläinen <email address hidden> Sat, 20 Nov 2021 16:22:31 -0800

The 10.5 series update for 21.10 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-21.10 branch at https://salsa.debian.org/mariadb-team/mariadb-10.5/tree/ubuntu-21.10

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.5/+builds?build_text=&build_state=all

Debdiffs can be created directly from the repo like in a local clone with 'git diff <tag1>..<tag2> debian/'

Changelog:

mariadb-10.5 (1:10.5.13-0ubuntu0.21.10.1) impish-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.5.13 includes fixes for the
    following security vulnerabilities (LP: #1951709):
    - CVE-2021-35604
  * Drop MIPS and libatomic patches applied now upstream

 -- Otto Kekäläinen <email address hidden> Sat, 20 Nov 2021 16:22:31 -0800

Hey Otto,

Thanks for the security updates! I have uploaded the new packages to the following PPA: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/.

Hello Otto,

Autopkgtests were run for the new package versions, and in general there were no impeding issues, however, there was a regression that happened for the mariadb-10.5 package for tests related to Ubuntu 21.10 version on the ppc64el architecture. The following test is failing: main.long_unique. Since jammy autopkgtests for mariadb-10.5 have been failing as well for the same reasons (in ppc64el), it might be safe to consider that the current fix was not the one that introduced the regression, and therefore, I will still publish the packages to archive next week. However, we thought it was important to let you know of this issue!

Here are a few links for reference:

https://autopkgtest.ubuntu.com/results/autopkgtest-impish-ubuntu-security-proposed-ppa/impish/ppc64el/m/mariadb-10.5/20211202_150518_cd3ac@/log.gz

https://autopkgtest.ubuntu.com/packages/mariadb-10.5/jammy/ppc64el

Thank you!

I filed https://jira.mariadb.org/browse/MDEV-27160 upstream about main.long_unique test failure - thanks for reporting it!

This bug was fixed in the package mariadb-10.3 - 1:10.3.32-0ubuntu0.20.04.1

---------------
mariadb-10.3 (1:10.3.32-0ubuntu0.20.04.1) focal-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.3.32 includes fixes for the
    following security vulnerabilities (LP: #1951709):
    - CVE-2021-35604
  * Drop MIPS and libatomic patches applied now upstream
  * Upstream issue MDEV-25114 about Galera WSREP invalid state
    fixed (Closes: #989898)

 -- Otto Kekäläinen <email address hidden> Sat, 20 Nov 2021 16:08:18 -0800

This bug was fixed in the package mariadb-10.5 - 1:10.5.13-0ubuntu0.21.10.1

---------------
mariadb-10.5 (1:10.5.13-0ubuntu0.21.10.1) impish-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.5.13 includes fixes for the
    following security vulnerabilities (LP: #1951709):
    - CVE-2021-35604
  * Drop MIPS and libatomic patches applied now upstream

 -- Otto Kekäläinen <email address hidden> Sat, 20 Nov 2021 16:22:31 -0800

This bug was fixed in the package mariadb-10.5 - 1:10.5.13-0ubuntu0.21.04.1

---------------
mariadb-10.5 (1:10.5.13-0ubuntu0.21.04.1) hirsute-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.5.13 includes fixes for the
    following security vulnerabilities (LP: #1951709):
    - CVE-2021-35604
  * Drop MIPS and libatomic patches applied now upstream

 -- Otto Kekäläinen <email address hidden> Sat, 20 Nov 2021 16:22:31 -0800

Hello Otto!

Thanks for the information.
I have published the packages and a related USN should come out soon!
Thank you once again!