Ubuntu
mariadb package

CVE-2025-30722 et al affects MariaDB in Ubuntu

Bug #2110070 reported by Otto Kekäläinen on 2025-05-06

258

This bug affects 1 person

	Status	Importance	Assigned to
mariadb (Ubuntu)	New	Undecided	Otto Kekäläinen
Noble	New	Undecided	Eduardo Barretto
Oracular	New	Undecided	Unassigned
Plucky	New	Undecided	Unassigned
mariadb-10.6 (Ubuntu)	New	Undecided	Unassigned
Jammy	In Progress	Undecided	Eduardo Barretto

Bug Description

According to https://mariadb.com/kb/en/security/ the latest minor MariaDB releases include security fixes.

I am working on updates for all maintained Ubuntu versions for MariaDB:
- mariadb-10.6 in Jammy
- mariadb (10.11) in Noble
- mariadb (11.4) in Plucky

MariaDB 11.8 in Questing will automatically import the new version from Debian Sid.

Security sponsor note this: https://wiki.ubuntu.com/SecurityTeam/PublicationNotes#Sponsoring_MariaDB_Security_Updates
and https://bugs.launchpad.net/ubuntu/+source/mariadb/+bug/2099785 for reference of a previous MariaDB CVE updates.

On a tangent, I have also been preparing MRE renewal for MariaDB (https://lists.ubuntu.com/archives/ubuntu-devel/2025-April/043346.html), but it isn't urgent as these CVEs justify uploading the latest minor maintenance releases as security updates.

Otto Kekäläinen (otto) on 2025-05-06

Changed in mariadb (Ubuntu):
assignee:	nobody → Otto Kekäläinen (otto)

Revision history for this message

Otto Kekäläinen (otto) wrote on 2025-05-07:

First MR ready for review: 10.6.22 to Jammy
https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/118

Revision history for this message

Eduardo Barretto (ebarretto) wrote on 2025-05-07:

Hey Otto,

Thanks for preparing those!
I already assigned myself to review the merge request and I will try to do it still today. Let me know whenever you have more PRs.

Thanks :)

Revision history for this message

Otto Kekäläinen (otto) wrote on 2025-05-08:

For visibility, posting links to all Debian/Ubuntu stable updates in review now:

* MariaDB 11.4.6 to Ubuntu 25.04 "Plucky": https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/121
* MariaDB 10.11.12 to Debian 12 "Bookworm": https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/119
* MariaDB 10.11.12 to Ubuntu 24.04 "Noble": https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/120
* MariaDB 10.6.22 to Ubuntu 22.04 "Jammy": https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/118
* MariaDB 10.5.29 for Debian 11 "Bullseye": https://salsa.debian.org/mariadb-team/mariadb-10.5/-/merge_requests/22

Revision history for this message

Otto Kekäläinen (otto) wrote on 2025-05-10:

https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/118 for 10.2.66 for Jammy is ready for review and upload on my part.

The 10.11 and 11.4 series is technically done for my part, but upstream announced that there is a serious regression and distros should wait for an extra release of 10.11.13 and 11.4.7 in coming days: https://<email address hidden>/thread/TP74ZU2ARZOQBLUNPT63I2A6LNB54XLJ/

Revision history for this message

Eduardo Barretto (ebarretto) wrote on 2025-05-12 (last edit on 2025-05-12):

Hey Otto,

Thanks for the updates.
I will start with 10.6.22 then and wait for the 10.11 and 11.4 with the regression fix.

no longer affects:	mariadb (Ubuntu Jammy)
no longer affects:	mariadb-10.6 (Ubuntu Noble)
no longer affects:	mariadb-10.6 (Ubuntu Oracular)
no longer affects:	mariadb-10.6 (Ubuntu Plucky)
Changed in mariadb (Ubuntu Noble):
assignee:	nobody → Eduardo Barretto (ebarretto)

Eduardo Barretto (ebarretto) on 2025-05-12

Changed in mariadb-10.6 (Ubuntu Jammy):
assignee:	nobody → Eduardo Barretto (ebarretto)

Revision history for this message

Otto Kekäläinen (otto) wrote on 2025-05-12: Re: [Bug 2110070] Re: CVE-2025-30722 et al affects MariaDB in Ubuntu

The 11.4.7 and 10.11.13 releases will include all the updates/fixes I
have done in the Merge Requests currently open, so if you review what
is visible now, the review for regression fix release from upstream
will have a smaller scope and go faster.

Revision history for this message

Otto Kekäläinen (otto) wrote 13 hours ago:

Eduardo: feel free to upload MariaDB 10.6.22 to Ubuntu 22.04 "Jammy" from https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/118

Eduardo Barretto (ebarretto) 6 hours ago

Changed in mariadb-10.6 (Ubuntu Jammy):
status:	New → In Progress

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntumariadb package

CVE-2025-30722 et al affects MariaDB in Ubuntu

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
mariadb package