57652 – mariadb-10.3: Multiple issues (5.0)

Bug 57652 - mariadb-10.3: Multiple issues (5.0)

Summary: mariadb-10.3: Multiple issues (5.0)

Status:	CLOSED FIXED

Alias:	None

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 5.0
Hardware:	All Linux

Importance:	P3 normal
Target Milestone:	UCS 5.0-9-errata
Assignee:	Quality Assurance
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-10-07 15:10 CEST by Quality Assurance
Modified:	2024-10-09 14:55 CEST (History)
CC List:	0 users

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score:	4.9 (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2024-10-07 15:10:36 CEST

New Debian mariadb-10.3 1:10.3.39-0+deb10u3 fixes:
This update addresses the following issue:
1:10.3.39-0+deb10u3 (Sat, 28 Sep 2024 21:04:12 +0000)
* Non-maintainer upload by the ELTS Security Team.
* Fix CVE-2024-21096: Difficult to exploit vulnerability allows  unauthenticated attacker with logon to the infrastructure where MariaDB  Server executes to compromise MariaDB Server. Successful attacks of this  vulnerability can result in unauthorized update, insert or delete access to  some of MariaDB Server accessible data as well as unauthorized read access  to a subset of MariaDB Server accessible data and unauthorized ability to  cause a partial denial of service (partial DoS)

Comment 1 Quality Assurance

2024-10-07 16:00:11 CEST

--- mirror/ftp/pool/main/m/mariadb-10.3/mariadb-10.3_10.3.39-0+deb10u2.dsc
+++ apt/ucs_5.0-0-errata5.0-9/source/mariadb-10.3_10.3.39-0+deb10u3.dsc
@@ -1,3 +1,18 @@
+1:10.3.39-0+deb10u3 [Sat, 28 Sep 2024 21:04:12 +0000] Bastien Roucariès <rouca@debian.org>:
+
+  * Non-maintainer upload by the ELTS Security Team.
+  * Fix CVE-2024-21096:
+    Difficult to exploit vulnerability allows unauthenticated
+    attacker with logon to the infrastructure where MariaDB Server
+    executes to compromise MariaDB Server.
+    Successful attacks of this vulnerability can result in
+    unauthorized update, insert or delete access to some of
+    MariaDB Server accessible data as well as unauthorized
+    read access to a subset of MariaDB Server accessible
+    data and unauthorized ability to cause a partial
+    denial of service (partial DoS)
+    (Closes: #1069189)
+
 1:10.3.39-0+deb10u2 [Sat, 20 Jan 2024 21:31:44 +0000] Bastien Roucariès <rouca@debian.org>:
 
   * Non-maintainer upload by the LTS Security Team.

<http://piuparts.knut.univention.de/5.0-9/#5772832344116541440>

Comment 2 Iván.Delgado

2024-10-09 11:28:05 CEST

OK: bug
OK: yaml
OK: announce_errata
OK: patch
~OK: piuparts
  Files left after package purge. Not an issue for this update
  Freexian ships dbgsym packages

[5.0-9] eabac80af3 Bug #57652: mariadb-10.3 1:10.3.39-0+deb10u3
 doc/errata/staging/mariadb-10.3.yaml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

[5.0-9] 6273d25076 Bug #57652: mariadb-10.3 1:10.3.39-0+deb10u3
 doc/errata/staging/mariadb-10.3.yaml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

[5.0-9] 47d3d40113 Bug #57652: mariadb-10.3 1:10.3.39-0+deb10u3
 doc/errata/staging/mariadb-10.3.yaml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

Comment 3 Iván.Delgado

2024-10-09 14:55:13 CEST

<https://errata.software-univention.de/#/?erratum=5.0x1138>