CVE-2022-24048 et al affect MariaDB in Ubuntu

The 10.3 series update for 20.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-20.04 branch at https://salsa.debian.org/mariadb-team/mariadb-10.3/tree/ubuntu-20.04

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.3/+builds?build_text=&build_state=all

Debdiffs can be created directly from the repo like in a local clone with 'git diff <tag1>..<tag2> debian/'

Changelog:

  * SECURITY UPDATE: New upstream version 10.3.34 includes fixes for the
    following security vulnerabilities (LP: #1961350):
    - CVE-2021-46661
    - CVE-2021-46663
    - CVE-2021-46664
    - CVE-2021-46665
    - CVE-2021-46668
  * Previous upstream version 10.3.33 included security fixes for:
    - CVE-2021-46659
    - CVE-2022-24048
    - CVE-2022-24050
    - CVE-2022-24051
    - CVE-2022-24052
  * Previous upstream version 10.3.32 included security fixes for:
    - CVE-2021-46662
    - CVE-2021-46667
  * Upstream version 10.3.33 was skipped as upstream pulled the release within a
    couple of days of release due to severe regression
  * Notable upstream functional changes in 10.3.33:
    - New default minimum value for innodb_buffer_pool_size is 20 MB (from 2 MB)

 -- Otto Kekäläinen <email address hidden> Thu, 17 Feb 2022 18:15:59 -0800

The 10.5 series update for 21.10 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-21.04 branch at https://salsa.debian.org/mariadb-team/mariadb-10.5/tree/ubuntu-21.10

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.5/+builds?build_text=&build_state=all

Debdiffs can be created directly from the repo like in a local clone with 'git diff <tag1>..<tag2> debian/'

Changelog:

mariadb-10.5 (1:10.5.15-0ubuntu0.21.10.1) impish-security; urgency=medium
  * SECURITY UPDATE: New upstream version 10.5.15 includes fixes for the
    following security vulnerabilities (LP: #1961350):
    - CVE-2021-46661
    - CVE-2021-46663
    - CVE-2021-46664
    - CVE-2021-46665
    - CVE-2021-46668
  * New upstream version 10.5.14. Includes security fixes for
   - CVE-2021-46659
    - CVE-2022-24048
    - CVE-2022-24050
    - CVE-2022-24051
    - CVE-2022-24052
  * Notable upstream functional changes in 10.5.14:
    - New default value for innodb_change_buffering is 'none' instead of old
      value 'all' (MDEV-27734). This change should improve crash safety but
      might cause performance regressions on systems that use old spinning disks
      (HDD) where seek latency is higher.
    - New default minimum value for innodb_buffer_pool_size is 20 MB (from 2 MB)

 -- Otto Kekäläinen <email address hidden> Thu, 17 Feb 2022 18:27:55 -0800

Hi Otto,

Could you please confirm the changes to debian/additions/mariadb.conf.d/50-server.cnf in impish are reasonable? I don't see them mentioned in debian/changelog...

Thanks!

Thanks Marc for the review and spotting that change. I fixed it now on https://salsa.debian.org/mariadb-team/mariadb-10.5/-/tree/ubuntu-21.10

Otto, I don't think your last commit makes sense either, it removed the changelog entry, etc.

Thanks for your patience. I did review in git-citool what I committed but did a mistake in my approach and reverted the everything in debian/* changes. I didn't sleep much last night due to the breaking news last evening.. Fixed now.

https://salsa.debian.org/mariadb-team/mariadb-10.5/-/compare/3ce8fe96bff98e8df92d5b03fe1f01ea29e6dcbe...ubuntu-21.10?from_project_id=52359

Thanks Otto, no worries.

This bug was fixed in the package mariadb-10.3 - 1:10.3.34-0ubuntu0.20.04.1

---------------
mariadb-10.3 (1:10.3.34-0ubuntu0.20.04.1) focal-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.3.34 includes fixes for the
    following security vulnerabilities (LP: #1961350):
    - CVE-2021-46661
    - CVE-2021-46663
    - CVE-2021-46664
    - CVE-2021-46665
    - CVE-2021-46668
  * Previous upstream version 10.3.33 included security fixes for:
    - CVE-2021-46659
    - CVE-2022-24048
    - CVE-2022-24050
    - CVE-2022-24051
    - CVE-2022-24052
  * Previous upstream version 10.3.32 included security fixes for:
    - CVE-2021-46662
    - CVE-2021-46667
  * Upstream version 10.3.33 was skipped as upstream pulled the release within a
    couple of days of release due to severe regression
  * Notable upstream functional changes in 10.3.33:
    - New default minimum value for innodb_buffer_pool_size is 20 MB (from 2 MB)

 -- Otto Kekäläinen <email address hidden> Thu, 17 Feb 2022 18:15:59 -0800

This bug was fixed in the package mariadb-10.5 - 1:10.5.15-0ubuntu0.21.10.1

---------------
mariadb-10.5 (1:10.5.15-0ubuntu0.21.10.1) impish-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.5.15 includes fixes for the
    following security vulnerabilities (LP: #1961350):
    - CVE-2021-46661
    - CVE-2021-46663
    - CVE-2021-46664
    - CVE-2021-46665
    - CVE-2021-46668
  * New upstream version 10.5.14. Includes security fixes for
   - CVE-2021-46659
    - CVE-2022-24048
    - CVE-2022-24050
    - CVE-2022-24051
    - CVE-2022-24052
  * Notable upstream functional changes in 10.5.14:
    - New default value for innodb_change_buffering is 'none' instead of old
      value 'all' (MDEV-27734). This change should improve crash safety but
      might cause performance regressions on systems that use old spinning disks
      (HDD) where seek latency is higher.
    - New default minimum value for innodb_buffer_pool_size is 20 MB (from 2 MB)

 -- Otto Kekäläinen <email address hidden> Thu, 17 Feb 2022 18:27:55 -0800