UbuntuUpdates.org

Package "mariadb-server"

Name: mariadb-server

Description:

MariaDB database server (metapackage depending on the latest version)

Latest version: 1:10.3.39-0ubuntu0.20.04.2
Release: focal (20.04)
Level: updates
Repository: universe
Head package: mariadb-10.3
Homepage: https://mariadb.org/

Links


Download "mariadb-server"


Other versions of "mariadb-server" in Focal

Repository Area Version
base universe 1:10.3.22-1ubuntu1
security universe 1:10.3.39-0ubuntu0.20.04.2

Changelog

Version: 1:10.3.39-0ubuntu0.20.04.2 2024-01-25 19:12:26 UTC

  mariadb-10.3 (1:10.3.39-0ubuntu0.20.04.2) focal-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.3.39 includes fixes for the
    following security vulnerabilities (LP: #2045452):
    - CVE-2022-47015
  * Add patch to revert upstream libmariadb API change (Debian Bug#1031773)
  * Make SysV init script explicit on its dependencies (Debian Bug#1035949)
  * Both of the changes above was included in the MariaDB Server version
    1:10.3.39-0+deb10u1 in Deban Buster without any reported regressions
    since June 2023 and are thus safe and appropriate to include in Ubuntu
    20.04 (Focal) as well
  * Include extra patch for CVE-2023-22084: A vulnerability allowed high
    privileged attacker with network access via multiple protocols to compromise
    the server. Successful attacks of this vulnerability can result in
    unauthorized ability to cause a hang or frequently repeatable crash
    (complete DOS) the server (Debian Bug#1055034)
  * According to https://mariadb.org/about/#maintenance-policy this
    was the last minor maintenance release for MariaDB 10.3 series

 -- Otto Kekäläinen <email address hidden> Sat, 02 Dec 2023 00:23:50 -0800

Source diff to previous version
2045452 CVE-2022-47015 et al affects MariaDB in Ubuntu
CVE-2022-47015 MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to derefere
CVE-2023-22084 Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.43 and prior, 8.0.34 and

Version: 1:10.3.38-0ubuntu0.20.04.1 2023-02-21 07:06:52 UTC

  mariadb-10.3 (1:10.3.38-0ubuntu0.20.04.1) focal-security; urgency=medium

  * New upstream version 10.3.38. Includes fix for a major
    performance/memory consumption issue (MDEV-29988) (LP: #2006882).

 -- Otto Kekäläinen <email address hidden> Thu, 09 Feb 2023 22:57:07 -0800

Source diff to previous version
2006882 MDEV-29988 affects MariaDB in Ubuntu

Version: 1:10.3.37-0ubuntu0.20.04.1 2022-11-23 19:06:24 UTC

  mariadb-10.3 (1:10.3.37-0ubuntu0.20.04.1) focal-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.3.37 includes fixes for security
    vulnerabilities from previous releases as listed below (LP: #1996452)
  * Previous upstream version 10.3.36 included security fixes for:
    - CVE-2018-25032
    - CVE-2022-32084
    - CVE-2022-32091
  * Previous upstream version 10.3.35 included security fixes for:
    - CVE-2021-46669
    - CVE-2022-21427
    - CVE-2022-27376
    - CVE-2022-27377
    - CVE-2022-27378
    - CVE-2022-27379
    - CVE-2022-27380
    - CVE-2022-27381
    - CVE-2022-27383
    - CVE-2022-27384
    - CVE-2022-27386
    - CVE-2022-27387
    - CVE-2022-27445
    - CVE-2022-27447
    - CVE-2022-27448
    - CVE-2022-27449
    - CVE-2022-27452
    - CVE-2022-27456
    - CVE-2022-27458
    - CVE-2022-32083
    - CVE-2022-32085
    - CVE-2022-32087
    - CVE-2022-32088

 -- Otto Kekäläinen <email address hidden> Sat, 12 Nov 2022 22:11:54 -0800

Source diff to previous version
1996452 CVE-2022-32091 et al affect MariaDB in Ubuntu
CVE-2018-25032 zlib 1.2.11 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
CVE-2022-32084 MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component sub_select.
CVE-2022-32091 MariaDB v10.7 was discovered to contain an use-after-poison in in __interceptor_memset at /libsanitizer/sanitizer_common/sanitizer_common_interceptor
CVE-2021-46669 MariaDB through 10.5.9 allows attackers to trigger a convert_const_to_int use-after-free when the BIGINT data type is used.
CVE-2022-21427 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS). Supported versions that are affected are 5.7.37 and prior and 8.0
CVE-2022-27376 MariaDB Server v10.6.5 and below was discovered to contain an use-after-free in the component Item_args::walk_arg, which is exploited via specially c
CVE-2022-27377 MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component Item_func_in::cleanup(), which is exploited via special
CVE-2022-27378 An issue in the component Create_tmp_table::finalize of MariaDB Server v10.7 and below was discovered to allow attackers to cause a Denial of Service
CVE-2022-27379 An issue in the component Arg_comparator::compare_real_fixed of MariaDB Server v10.6.2 and below was discovered to allow attackers to cause a Denial
CVE-2022-27380 An issue in the component my_decimal::operator= of MariaDB Server v10.6.3 and below was discovered to allow attackers to cause a Denial of Service (D
CVE-2022-27381 An issue in the component Field::set_default of MariaDB Server v10.6 and below was discovered to allow attackers to cause a Denial of Service (DoS) v
CVE-2022-27383 MariaDB Server v10.6 and below was discovered to contain an use-after-free in the component my_strcasecmp_8bit, which is exploited via specially craf
CVE-2022-27384 An issue in the component Item_subselect::init_expr_cache_tracker of MariaDB Server v10.6 and below was discovered to allow attackers to cause a Deni
CVE-2022-27386 MariaDB Server v10.7 and below was discovered to contain a segmentation fault via the component sql/sql_class.cc.
CVE-2022-27387 MariaDB Server v10.7 and below was discovered to contain a global buffer overflow in the component decimal_bin_size, which is exploited via specially
CVE-2022-27445 MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/sql_window.cc.
CVE-2022-27447 MariaDB Server v10.9 and below was discovered to contain a use-after-free via the component Binary_string::free_buffer() at /sql/sql_string.h.
CVE-2022-27448 There is an Assertion failure in MariaDB Server v10.9 and below via 'node->pcur->rel_pos == BTR_PCUR_ON' at /row/row0mysql.cc.
CVE-2022-27449 MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_func.cc:148.
CVE-2022-27452 MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_cmpfunc.cc.
CVE-2022-27456 MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component VDec::VDec at /sql/sql_type.cc.
CVE-2022-27458 MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component Binary_string::free_buffer() at /sql/sql_string.h.
CVE-2022-32083 MariaDB v10.2 to v10.6.1 was discovered to contain a segmentation fault via the component Item_subselect::init_expr_cache_tracker.
CVE-2022-32085 MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_func_in::cleanup/Item::cleanup_processor.
CVE-2022-32087 MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_args::walk_args.
CVE-2022-32088 MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Exec_time_tracker::get_loops/Filesort_tracker::report_use/fil

Version: 1:10.3.34-0ubuntu0.20.04.1 2022-02-28 14:07:15 UTC

  mariadb-10.3 (1:10.3.34-0ubuntu0.20.04.1) focal-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.3.34 includes fixes for the
    following security vulnerabilities (LP: #1961350):
    - CVE-2021-46661
    - CVE-2021-46663
    - CVE-2021-46664
    - CVE-2021-46665
    - CVE-2021-46668
  * Previous upstream version 10.3.33 included security fixes for:
    - CVE-2021-46659
    - CVE-2022-24048
    - CVE-2022-24050
    - CVE-2022-24051
    - CVE-2022-24052
  * Previous upstream version 10.3.32 included security fixes for:
    - CVE-2021-46662
    - CVE-2021-46667
  * Upstream version 10.3.33 was skipped as upstream pulled the release within a
    couple of days of release due to severe regression
  * Notable upstream functional changes in 10.3.33:
    - New default minimum value for innodb_buffer_pool_size is 20 MB (from 2 MB)

 -- Otto Kekäläinen <email address hidden> Thu, 17 Feb 2022 18:15:59 -0800

Source diff to previous version
1961350 CVE-2022-24048 et al affect MariaDB in Ubuntu
CVE-2021-46661 MariaDB through 10.5.9 allows an application crash in find_field_in_tables and find_order_in_list via an unused common table expression (CTE).
CVE-2021-46663 MariaDB through 10.5.13 allows a ha_maria::extra application crash via certain SELECT statements.
CVE-2021-46664 MariaDB through 10.5.9 allows an application crash in sub_select_postjoin_aggr for a NULL value of aggr.
CVE-2021-46665 MariaDB through 10.5.9 allows a sql_parse.cc application crash because of incorrect used_tables expectations.
CVE-2021-46668 MariaDB through 10.5.9 allows an application crash via certain long SELECT DISTINCT statements that improperly interact with storage-engine resource
CVE-2021-46659 MariaDB before 10.7.2 allows an application crash because it does not recognize that SELECT_LEX::nest_level is local to each VIEW.
CVE-2022-24048 MariaDB CONNECT Storage Engine Stack-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate
CVE-2022-24050 MariaDB CONNECT Storage Engine Use-After-Free Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on
CVE-2022-24051 MariaDB CONNECT Storage Engine Format String Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on
CVE-2022-24052 MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate p
CVE-2021-46662 MariaDB through 10.5.9 allows a set_var.cc application crash via certain uses of an UPDATE statement in conjunction with a nested subquery.
CVE-2021-46667 MariaDB before 10.6.5 has a sql_lex.cc integer overflow, leading to an application crash.

Version: 1:10.3.32-0ubuntu0.20.04.1 2021-12-06 15:07:22 UTC

  mariadb-10.3 (1:10.3.32-0ubuntu0.20.04.1) focal-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.3.32 includes fixes for the
    following security vulnerabilities (LP: #1951709):
    - CVE-2021-35604
  * Drop MIPS and libatomic patches applied now upstream
  * Upstream issue MDEV-25114 about Galera WSREP invalid state
    fixed (Closes: #989898)

 -- Otto Kekäläinen <email address hidden> Sat, 20 Nov 2021 16:08:18 -0800

1951709 CVE-2021-35604 affects MariaDB in Ubuntu
989898 MariaDB crashes with "Crash: WSREP: invalid state ROLLED_BACK (FATAL)"
CVE-2021-35604 Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.35 and prior and 8.0.26 a



About   -   Send Feedback to @ubuntu_updates