Ubuntu
mariadb package

CVE-2025-30722 et al affects MariaDB in Ubuntu

Bug #2110070 reported by Otto Kekäläinen
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mariadb (Ubuntu)
Confirmed
Undecided
Otto Kekäläinen
Noble
Confirmed
Undecided
Eduardo Barretto
Oracular
New
Undecided
Unassigned
Plucky
New
Undecided
Unassigned
mariadb-10.6 (Ubuntu)
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Eduardo Barretto

Bug Description

According to https://mariadb.com/kb/en/security/ the latest minor MariaDB releases include security fixes.

I am working on updates for all maintained Ubuntu versions for MariaDB:
- mariadb-10.6 in Jammy
- mariadb (10.11) in Noble
- mariadb (11.4) in Plucky

MariaDB 11.8 in Questing will automatically import the new version from Debian Sid.

Security sponsor note this: https://wiki.ubuntu.com/SecurityTeam/PublicationNotes#Sponsoring_MariaDB_Security_Updates
and https://bugs.launchpad.net/ubuntu/+source/mariadb/+bug/2099785 for reference of a previous MariaDB CVE updates.

On a tangent, I have also been preparing MRE renewal for MariaDB (https://lists.ubuntu.com/archives/ubuntu-devel/2025-April/043346.html), but it isn't urgent as these CVEs justify uploading the latest minor maintenance releases as security updates.

Otto Kekäläinen (otto)
Changed in mariadb (Ubuntu):
assignee: nobody → Otto Kekäläinen (otto)
Revision history for this message
Otto Kekäläinen (otto) wrote :

First MR ready for review: 10.6.22 to Jammy
https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/118

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Hey Otto,

Thanks for preparing those!
I already assigned myself to review the merge request and I will try to do it still today. Let me know whenever you have more PRs.

Thanks :)

Revision history for this message
Otto Kekäläinen (otto) wrote :

For visibility, posting links to all Debian/Ubuntu stable updates in review now:

* MariaDB 11.4.6 to Ubuntu 25.04 "Plucky": https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/121
* MariaDB 10.11.12 to Debian 12 "Bookworm": https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/119
* MariaDB 10.11.12 to Ubuntu 24.04 "Noble": https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/120
* MariaDB 10.6.22 to Ubuntu 22.04 "Jammy": https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/118
* MariaDB 10.5.29 for Debian 11 "Bullseye": https://salsa.debian.org/mariadb-team/mariadb-10.5/-/merge_requests/22

Revision history for this message
Otto Kekäläinen (otto) wrote :

https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/118 for 10.2.66 for Jammy is ready for review and upload on my part.

The 10.11 and 11.4 series is technically done for my part, but upstream announced that there is a serious regression and distros should wait for an extra release of 10.11.13 and 11.4.7 in coming days: https://<email address hidden>/thread/TP74ZU2ARZOQBLUNPT63I2A6LNB54XLJ/

Revision history for this message
Eduardo Barretto (ebarretto) wrote (last edit ):

Hey Otto,

Thanks for the updates.
I will start with 10.6.22 then and wait for the 10.11 and 11.4 with the regression fix.

no longer affects: mariadb (Ubuntu Jammy)
no longer affects: mariadb-10.6 (Ubuntu Noble)
no longer affects: mariadb-10.6 (Ubuntu Oracular)
no longer affects: mariadb-10.6 (Ubuntu Plucky)
Changed in mariadb (Ubuntu Noble):
assignee: nobody → Eduardo Barretto (ebarretto)
Eduardo Barretto (ebarretto)
Changed in mariadb-10.6 (Ubuntu Jammy):
assignee: nobody → Eduardo Barretto (ebarretto)
Revision history for this message
Otto Kekäläinen (otto) wrote : Re: [Bug 2110070] Re: CVE-2025-30722 et al affects MariaDB in Ubuntu

The 11.4.7 and 10.11.13 releases will include all the updates/fixes I
have done in the Merge Requests currently open, so if you review what
is visible now, the review for regression fix release from upstream
will have a smaller scope and go faster.

Revision history for this message
Otto Kekäläinen (otto) wrote :

Eduardo: feel free to upload MariaDB 10.6.22 to Ubuntu 22.04 "Jammy" from https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/118

Eduardo Barretto (ebarretto)
Changed in mariadb-10.6 (Ubuntu Jammy):
status: New → In Progress
Eduardo Barretto (ebarretto)
Changed in mariadb-10.6 (Ubuntu Jammy):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.6 - 1:10.6.22-0ubuntu0.22.04.1

---------------
mariadb-10.6 (1:10.6.22-0ubuntu0.22.04.1) jammy-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.6.22 includes fixes for regressions
    as noted at https://mariadb.com/kb/en/mariadb-10-6-22-release-notes/ and
    also fixes the following security vulnerabilities (LP: #2110070):
    - CVE-2023-52969
    - CVE-2023-52970
    - CVE-2025-30693
    - CVE-2025-30722
  * Fix changelog entry formatting in 1:10.6.21-0ubuntu0.22.04.1
  * Drop all three patches previously backported to 1:10.6.21-0ubuntu0.22.04.2
    now in upstream release

 -- Otto Kekäläinen <email address hidden> Tue, 06 May 2025 22:33:59 -0700

Changed in mariadb-10.6 (Ubuntu Jammy):
status: Fix Committed → Fix Released
Eduardo Barretto (ebarretto)
Changed in mariadb (Ubuntu Noble):
status: New → Confirmed
Changed in mariadb-10.6 (Ubuntu):
status: New → Fix Released
Changed in mariadb (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.