CVE-2024-21096 et al affects MariaDB in Ubuntu

Unlike previous times such as LP#2045452, this time I am trying a new way to ask for review at https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/82 (Prepare MariaDB Server 1:10.11.8-0ubuntu0.24.04.1 for upload to Ubuntu)

https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/83 (Prepare MariaDB Server 1:10.11.8-0ubuntu0.23.10.1 for upload to Ubuntu)

https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/84 (Prepare MariaDB Server 1:10.6.18-0ubuntu0.22.04.1 for upload to Ubuntu)

Let's focus on the review (and fixes) in the first MR!82 first, and only after it is uploaded and everything went fine proceed with the two others.

Hi Otto,

Thanks for preparing the updates!
I will be taking a look at the PRs between today and tomorrow

Hey Otto,

sorry for the delay, the branches look good, and I could successfully build the package and check the diff with the PR, but I again had to bypass that issue with gbp not generating the orig tarball correctly.
I'm investigating this issue a bit more to see what is going on.

Eduardo, old notes about xdelta3/pristine-tar incompatibility in https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/326.

Do you have any feedback about the import otherwise? I could update and finalize it content-wise.

Hey Otto,

sorry, I was off for a few days. So should I go ahead with the sponsor or do you want to merge things first? Either work well for me and I can continue with the sponsoring this week still.

I was waiting for some feedback. If you have none, I will merge as-is.

Hi Otto, all look good, if you are ok I will proceed with the sponsoring

The above MRs have been merged without further commits. We are aware that there still is an issue with pristine-tar/xdelta3 version compatibilities (https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/326) and we know that Ubuntu-specific autopkgtests can't be triggered for testing anymore (https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/83). Neither is a sign of a regression in the release itself nor a reason to postpone delivering these security updates to users.

If you have permissions to trigger autopkgtests, please open link https://autopkgtest.ubuntu.com/request.cgi?release=mantic&arch=amd64&package=mariadb&ppa=mysql-ubuntu/mariadb-10.11&trigger=mariadb/1:10.11.8-0ubuntu0.23.10.1~bpo23.10.1~1718530712.65e173d159a%2Bubuntu.23.10.mantic

MariaDB 10.6.18 for Ubuntu Jammy is ready at https://salsa.debian.org/mariadb-team/mariadb-server/-/commits/ubuntu/22.04-jammy and builds pass at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.6/+builds?build_text=&build_state=all

MariaDB 10.11.8 for Ubuntu Mantic is ready at https://salsa.debian.org/mariadb-team/mariadb-server/-/commits/ubuntu/23.10-mantic and builds pass at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.11/+builds?build_text=&build_state=all

MariaDB 10.11.8 for Ubuntu Noble is ready at https://salsa.debian.org/mariadb-team/mariadb-server/-/commits/ubuntu/24.04-noble

If you find any issues, let me know and I will add commits to fix them.

Triggered autopkgtests via requested link, and added targetting for affected series (and package).

Hi Otto,

I've uploaded yesterday the 3 updates to our security-proposed ppa:
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=mariadb&field.status_filter=published&field.series_filter=

I will take a look at the autopkgtests we have in that ppa and, if everything is looking good, I will publish it either later today or earlier tomorrow.

One note though, on your comment you said the branches ubuntu-2* (e.g. ubuntu-22.04) but the correct branches are the ones you sent before, ubuntu/2* (e.g. ubuntu/22.04-jammy). Perhaps to avoid confusion in the future, would it be better to consolidate the branches?

Thanks again for preparing those and I will let you know when it is released or in case of issues.

Updated branch links to have correct (new) naming scheme.

Thanks Dave for triggering autopkgtests. Back in January 2024 I was still able to do it myself (https://bugs.launchpad.net/ubuntu/+source/mariadb/+bug/2045452/comments/18), I wonder what changed.

I now checked https://autopkgtest.ubuntu.com/results/autopkgtest-mantic-mysql-ubuntu-mariadb-10.11/mantic/amd64/m/mariadb/20240617_174047_0dd5c@/log.gz that autopkgtest passed:

1478s configuration-tracing PASS
1478s smoke PASS
1478s upstream PASS

This is a surprising large amount of work to do a simple security upload, I need to think ways of automating it. It would be by far easiest if Salsa-CI supported Ubuntu (https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/327).

I'm publishing the update first thing tomorrow morning, so far everything looks good.

This bug was fixed in the package mariadb - 1:10.11.8-0ubuntu0.24.04.1

---------------
mariadb (1:10.11.8-0ubuntu0.24.04.1) noble-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.11.8 includes fixes for regressions
    as noted at https://mariadb.com/kb/en/mariadb-10-11-8-release-notes/ and
    also fixes the following security vulnerabilities (LP: #2067125):
    - CVE-2024-21096
  * Drop multiple patches dropped upstream, and re-import PR#2541 which had been
    rebased in the original (and still open) PR.
  * Remove libmariadb file no longer present in MariaDB Connector C v3.3
  * Update client program 'mariadb' trace to match new libmariadb v3.3
  * Update server trace to include new parameters and values
  * Note that upstream dropped support for pmem as Red Hat does not support it,
    but we continue to use it in Ubuntu
  * Also note upstream updated the MariaDB Connector C library (libmariadb)
    from v3.2 to 3.3 in this stable maintenance release, but it does not cause
    any issues as the soname and list of public symbols continues to be exactly
    same as before

 -- Otto Kekäläinen <email address hidden> Fri, 24 May 2024 19:26:56 -0700

This bug was fixed in the package mariadb-10.6 - 1:10.6.18-0ubuntu0.22.04.1

---------------
mariadb-10.6 (1:10.6.18-0ubuntu0.22.04.1) jammy-security; urgency=medium

  * Update gdb.conf to be aligned with other branches and easier to maintain
  * Update upstream signing key
  * SECURITY UPDATE: New upstream version 10.6.18 includes fixes for regressions
    as noted at https://mariadb.com/kb/en/mariadb-10-6-18-release-notes/ and
    also fixes the following security vulnerabilities (LP: #2067125):
    - CVE-2024-21096
  * Remove libmariadb file no longer present in MariaDB Connector C v3.3
  * Fix failing build by including wsrep_sst_backup man page
  * Add patch to partially revert upstream c432c9ef (Closes: #1063738)

 -- Otto Kekäläinen <email address hidden> Sat, 25 May 2024 14:07:17 -0700

This bug was fixed in the package mariadb - 1:10.11.8-0ubuntu0.23.10.1

---------------
mariadb (1:10.11.8-0ubuntu0.23.10.1) mantic-security; urgency=medium

  * Update gdb.conf to be aligned with other branches and easier to maintain
  * SECURITY UPDATE: New upstream version 10.11.8 includes fixes for regressions
    as noted at https://mariadb.com/kb/en/mariadb-10-11-8-release-notes/ and
    also fixes the following security vulnerabilities (LP: #2067125):
    - CVE-2024-21096
  * Drop multiple patches dropped upstream, and re-import PR#2541 which had been
    rebased in the original (and still open) PR.
  * Remove libmariadb file no longer present in MariaDB Connector C v3.3
  * Update client program 'mariadb' trace to match new libmariadb v3.3
  * Update server trace to include new parameters and values from 10.11.7 and .8
  * Note that upstream dropped support for pmem as Red Hat does not support it,
    but we continue to use it in Ubuntu
  * Also note upstream updated the MariaDB Connector C library (libmariadb)
    from v3.2 to 3.3 in this stable maintenance release, but it does not cause
    any issues as the soname and list of public symbols continues to be exactly
    same as before

 -- Otto Kekäläinen <email address hidden> Fri, 24 May 2024 22:02:01 -0700

Thanks again Otto for preparing this package update!
As mentioned above this is now published :)