Ubuntu
mariadb package

CVE-2025-30722 et al affects MariaDB in Ubuntu

Bug #2110070 reported by Otto Kekäläinen
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mariadb (Ubuntu)
Fix Released
Undecided
Otto Kekäläinen
Noble
Fix Released
Undecided
Eduardo Barretto
Oracular
Won't Fix
Undecided
Unassigned
Plucky
Fix Released
Undecided
Eduardo Barretto
mariadb-10.6 (Ubuntu)
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Eduardo Barretto

Bug Description

According to https://mariadb.com/kb/en/security/ the latest minor MariaDB releases include security fixes.

I am working on updates for all maintained Ubuntu versions for MariaDB:
- mariadb-10.6 in Jammy
- mariadb (10.11) in Noble
- mariadb (11.4) in Plucky

MariaDB 11.8 in Questing will automatically import the new version from Debian Sid.

Security sponsor note this: https://wiki.ubuntu.com/SecurityTeam/PublicationNotes#Sponsoring_MariaDB_Security_Updates
and https://bugs.launchpad.net/ubuntu/+source/mariadb/+bug/2099785 for reference of a previous MariaDB CVE updates.

On a tangent, I have also been preparing MRE renewal for MariaDB (https://lists.ubuntu.com/archives/ubuntu-devel/2025-April/043346.html), but it isn't urgent as these CVEs justify uploading the latest minor maintenance releases as security updates.

Otto Kekäläinen (otto)
Changed in mariadb (Ubuntu):
assignee: nobody → Otto Kekäläinen (otto)
Revision history for this message
Otto Kekäläinen (otto) wrote :

First MR ready for review: 10.6.22 to Jammy
https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/118

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Hey Otto,

Thanks for preparing those!
I already assigned myself to review the merge request and I will try to do it still today. Let me know whenever you have more PRs.

Thanks :)

Revision history for this message
Otto Kekäläinen (otto) wrote :

For visibility, posting links to all Debian/Ubuntu stable updates in review now:

* MariaDB 11.4.6 to Ubuntu 25.04 "Plucky": https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/121
* MariaDB 10.11.12 to Debian 12 "Bookworm": https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/119
* MariaDB 10.11.12 to Ubuntu 24.04 "Noble": https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/120
* MariaDB 10.6.22 to Ubuntu 22.04 "Jammy": https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/118
* MariaDB 10.5.29 for Debian 11 "Bullseye": https://salsa.debian.org/mariadb-team/mariadb-10.5/-/merge_requests/22

Revision history for this message
Otto Kekäläinen (otto) wrote :

https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/118 for 10.2.66 for Jammy is ready for review and upload on my part.

The 10.11 and 11.4 series is technically done for my part, but upstream announced that there is a serious regression and distros should wait for an extra release of 10.11.13 and 11.4.7 in coming days: https://<email address hidden>/thread/TP74ZU2ARZOQBLUNPT63I2A6LNB54XLJ/

Revision history for this message
Eduardo Barretto (ebarretto) wrote (last edit ):

Hey Otto,

Thanks for the updates.
I will start with 10.6.22 then and wait for the 10.11 and 11.4 with the regression fix.

no longer affects: mariadb (Ubuntu Jammy)
no longer affects: mariadb-10.6 (Ubuntu Noble)
no longer affects: mariadb-10.6 (Ubuntu Oracular)
no longer affects: mariadb-10.6 (Ubuntu Plucky)
Changed in mariadb (Ubuntu Noble):
assignee: nobody → Eduardo Barretto (ebarretto)
Eduardo Barretto (ebarretto)
Changed in mariadb-10.6 (Ubuntu Jammy):
assignee: nobody → Eduardo Barretto (ebarretto)
Revision history for this message
Otto Kekäläinen (otto) wrote : Re: [Bug 2110070] Re: CVE-2025-30722 et al affects MariaDB in Ubuntu

The 11.4.7 and 10.11.13 releases will include all the updates/fixes I
have done in the Merge Requests currently open, so if you review what
is visible now, the review for regression fix release from upstream
will have a smaller scope and go faster.

Revision history for this message
Otto Kekäläinen (otto) wrote :

Eduardo: feel free to upload MariaDB 10.6.22 to Ubuntu 22.04 "Jammy" from https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/118

Eduardo Barretto (ebarretto)
Changed in mariadb-10.6 (Ubuntu Jammy):
status: New → In Progress
Eduardo Barretto (ebarretto)
Changed in mariadb-10.6 (Ubuntu Jammy):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.6 - 1:10.6.22-0ubuntu0.22.04.1

---------------
mariadb-10.6 (1:10.6.22-0ubuntu0.22.04.1) jammy-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.6.22 includes fixes for regressions
    as noted at https://mariadb.com/kb/en/mariadb-10-6-22-release-notes/ and
    also fixes the following security vulnerabilities (LP: #2110070):
    - CVE-2023-52969
    - CVE-2023-52970
    - CVE-2025-30693
    - CVE-2025-30722
  * Fix changelog entry formatting in 1:10.6.21-0ubuntu0.22.04.1
  * Drop all three patches previously backported to 1:10.6.21-0ubuntu0.22.04.2
    now in upstream release

 -- Otto Kekäläinen <email address hidden> Tue, 06 May 2025 22:33:59 -0700

Changed in mariadb-10.6 (Ubuntu Jammy):
status: Fix Committed → Fix Released
Eduardo Barretto (ebarretto)
Changed in mariadb (Ubuntu Noble):
status: New → Confirmed
Changed in mariadb-10.6 (Ubuntu):
status: New → Fix Released
Changed in mariadb (Ubuntu):
status: New → Confirmed
Revision history for this message
Otto Kekäläinen (otto) wrote (last edit ):

These have now also been reviewed and merged:

* MariaDB 11.4.6 to Ubuntu 25.04 "Plucky": https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/121
* MariaDB 10.11.12 to Ubuntu 24.04 "Noble": https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/120

Eduardo: Feel free to proceed with upload

Eduardo Barretto (ebarretto)
Changed in mariadb (Ubuntu Plucky):
status: New → In Progress
assignee: nobody → Eduardo Barretto (ebarretto)
Changed in mariadb (Ubuntu Noble):
status: Confirmed → In Progress
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

I've uploaded both to our security-proposed ppa:
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=mariadb&field.status_filter=published&field.series_filter=

It will take some hours to finish building. Since I'm out tomorrow I'm planning to publish this on Monday.

Thanks again Otto for preparing those!

One last question, do you plan to update the package also for Oracular (24.10)?

Revision history for this message
Otto Kekäläinen (otto) wrote :

I was planning the skip Oracular as it is so close to EOL if that is ok
with you.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb - 1:10.11.13-0ubuntu0.24.04.1

---------------
mariadb (1:10.11.13-0ubuntu0.24.04.1) noble-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.11.13 includes fixes for regressions
    as noted at https://mariadb.com/kb/en/mariadb-10-11-13-release-notes/ and
    also the previous upstream version 10.11.13 includes fixes for regressions
    as noted at https://mariadb.com/kb/en/mariadb-10-11-12-release-notes/ and
    also fixes the following security vulnerabilities (LP: #2110070):
    - CVE-2023-52969
    - CVE-2023-52970
    - CVE-2023-52971
    - CVE-2025-30693
    - CVE-2025-30722
  * Fix indentation for changelog entry in 1:10.11.11-0ubuntu0.24.04.1
  * Drop all RocksDB patches now upstream due to update to version 6.29fb
  * Drop all three patches previously backported to 1:10.11.11-0ubuntu0.24.04.2
    now included in upstream release
  * Update configuration traces to have --ssl-verify-server-cert from MDEV-28908
  * Update configuration traces to include new upstream system variables:
    - innodb-buffer-pool-size-auto-min (default: 0)
    - innodb-buffer-pool-size-max (default: 0)
    - innodb-log-checkpoint-now (default: FALSE)
  * Also update configuration traces to match that in 10.11.12 the variables
    innodb-buffer-pool-chunk-size and innodb-log-spin-wait-delay are advertised
    as deprecated.

 -- Otto Kekäläinen <email address hidden> Fri, 23 May 2025 16:20:51 -0700

Changed in mariadb (Ubuntu Noble):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb - 1:11.4.7-0ubuntu0.25.04.1

---------------
mariadb (1:11.4.7-0ubuntu0.25.04.1) plucky-security; urgency=medium

  * SECURITY UPDATE: New upstream version 11.4.7 includes fixes for regressions
    as noted at https://mariadb.com/kb/en/mariadb-11-4-7-release-notes/ and
    also the preivous upstream version 11.4.6 includes fixes for regressions
    as noted at https://mariadb.com/kb/en/mariadb-11-4-6-release-notes/ and
    also fixes the following security vulnerabilities (LP: #2110070):
    - CVE-2023-52969
    - CVE-2023-52970
    - CVE-2023-52971
    - CVE-2025-30693
    - CVE-2025-30722
  * Drop all RocksDB patches now upstream due to update to version 6.29fb
  * Drop PCRE2 10.45 compatibility patch obsoleted by upstream test change
  * Revert "Set CAP_IPC_LOCK capability if possible" because of MDEV-36229
  * Update configuration traces to include new upstream system variables:
    - innodb-buffer-pool-size-auto-min (default: 0)
    - innodb-buffer-pool-size-max (default: 0)
    - innodb-log-checkpoint-now (default: FALSE)
  * Also update configuration traces to match that in 10.11.12 the variables
    innodb-buffer-pool-chunk-size and innodb-log-spin-wait-delay are advertised
    as deprecated.
  * Add Breaks/Replaces for files moved around in src:mysql-8.4 (LP: #2110378)
  * Disable new unreliable test main.mysql-interactive

 -- Otto Kekäläinen <email address hidden> Fri, 23 May 2025 16:35:15 -0700

Changed in mariadb (Ubuntu Plucky):
status: In Progress → Fix Released
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Thanks Otto for preparing those updates! The packages are now published and I've marked oracular accordingly.

Changed in mariadb (Ubuntu Oracular):
status: New → Won't Fix
Eduardo Barretto (ebarretto)
Changed in mariadb (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Otto Kekäläinen (otto) wrote :

Debian has now MariaDB 1:11.8.2-1 that includes the CVE fixes for Debian unstable and Debian Plucky: https://tracker.debian.org/pkg/mariadb

All we need is for the package to sync to Ubuntu.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.