Bug 58102 - mariadb: Multiple issues (5.2)
Summary: mariadb: Multiple issues (5.2)
Status: CLOSED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: Security updates
Version: UCS 5.2
Hardware: All Linux
: P3 normal
Target Milestone: UCS 5.2-1-errata
Assignee: Quality Assurance
QA Contact: Felix Botner
URL:
Keywords:
: 58109 (view as bug list)
Depends on:
Blocks:
 
Reported: 2025-03-24 15:29 CET by Quality Assurance
Modified: 2025-03-26 16:47 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score: 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2025-03-24 15:29:17 CET 
New Debian mariadb 1:10.11.11-0+deb12u1 fixes:
This update addresses the following issues:
* mysql: Client: mysqldump unspecified vulnerability (CPU Apr 2024)  (CVE-2024-21096)
* mysql: High Privilege Denial of Service Vulnerability in MySQL Server  (CVE-2025-21490)
Comment 1 Quality Assurance univentionstaff 2025-03-24 16:00:26 CET 
--- mirror/ftp/pool/main/m/mariadb/mariadb_10.11.6-0+deb12u1.dsc
+++ apt/ucs_5.2-0-errata5.2-1/source/mariadb_10.11.11-0+deb12u1.dsc
@@ -1,3 +1,62 @@
+1:10.11.11-0+deb12u1 [Tue, 18 Feb 2025 16:56:41 -0800] Otto Kekäläinen <otto@debian.org>:
+
+  [ Otto Kekäläinen ]
+  * New upstream version 10.11.11. Includes fixes for several defects
+    as noted at https://mariadb.com/kb/en/mariadb-10-11-11-release-notes/ as
+    well the following security issues:
+    - CVE-2025-21490
+  * This release includes upstream version 10.11.10, with fixes for regressions
+    as noted at https://mariadb.com/kb/en/mariadb-10-11-10-release-notes/
+  * Includes fix for main.having_cond_pushdown test failure on s390x which also
+    affected builds in Debian (https://jira.mariadb.org/browse/MDEV-34650)
+  * Previous version 10.11.7 included fix for InnoDB hang (Closes: #1069895)
+  * Include Debian packaging bugfixes done upstream:
+    - MDEV-35907: debian-start script fails when using non-standard socket path
+    - Set CAP_IPC_LOCK capability if possible
+  * Update server trace to include new parameters and values. This includes now
+    MariaDB client parameter 'quick-max-column-width' and new MariaDB Server
+    parameters 'innodb-log-file-mmap' and 'optimizer-join-limit-pref-ratio'.
+    Also the parameters 'innodb-lru-flush-size' and
+    'innodb-purge-rseg-truncate-frequency' seems to have been removed, while
+    'optimizer-adjust-secondary-key-costs' got new default values.
+  * Update configuration traces to match innodb_log_file_mmap changes done in
+    MDEV-35785
+  * Update configuration traces with new query allocator values from MDEV-35750
+  * Skip test main.mysqld--help-aria due to MDEV-34733
+  * Include several restart/shutdown related fixes that have been in Debian
+    unstable in MariaDB 11.4 for a long time, and which are likely needed to
+    avoid occasional shutdown issues, in particular on upgrades (LP: #2034125)
+    in both Debian and Ubuntu
+    - Make SysV init more verbose in case of MariaDB start failures (Related: #1033234)
+    - Limit check of running mysqld/mariadbd to system users (Closes: #1032047)
+    - When shutting down 'mariadbd', fallback to 'mysqld'
+  * Add Lintian overrides for new upstream documentation JavaScript files
+  * Make d/watch more specific to circumvent bug in .10 vs .11 detection
+
+  [ Phil Dibowitz ]
+  * Add some info on getting back to passwordless root (Closes: #1088133)
+
+1:10.11.9-0+deb12u1 [Mon, 02 Sep 2024 16:55:56 -0700] Otto Kekäläinen <otto@debian.org>:
+
+  * New upstream version 10.11.9. Includes fixes for several severe regressions
+    as noted at https://mariadb.com/kb/en/mariadb-10-11-9-release-notes/
+  * This release includes upstream version 10.11.8, with fixes for regressions
+    as noted at https://mariadb.com/kb/en/mariadb-10-11-8-release-notes/ as well
+    as security issue:
+    - CVE-2024-21096
+  * Drop multiple patches dropped upstream, including PR#2541.
+  * Remove libmariadb file no longer present in MariaDB Connector C v3.3
+  * Update client program 'mariadb' trace to match new libmariadb v3.3
+  * Update server trace to include new parameters and values from 10.11.7 and .8
+  * Note that upstream dropped support for pmem as Red Hat does not support it,
+    but we continue to use it in Debian Bookworm
+  * Also note upstream updated the MariaDB Connector C library (libmariadb)
+    from v3.2 to 3.3 in this stable maintenance release, but it does not cause
+    any issues as the soname and list of public symbols continues to be exactly
+    same as before
+  * Update gdb.conf to be aligned with other branches and easier to maintain
+  * Add NEWS item to explain new `mariadb-dump` option `--sandbox`
+
 1:10.11.6-0+deb12u1 [Wed, 29 Nov 2023 20:42:37 -0800] Otto Kekäläinen <otto@debian.org>:
 
   * New upstream version 10.11.6. Includes fixes for several severe regressions

<http://piuparts.knut.univention.de/5.2-1/#3900937072905719162>
Comment 2 Felix Botner univentionstaff 2025-03-24 17:05:22 CET 
*** Bug 58109 has been marked as a duplicate of this bug. ***
Comment 3 Felix Botner univentionstaff 2025-03-24 17:06:45 CET 
OK: bug
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[5.2-1] 8cd1c11d6e0 Bug #58102: mariadb 1:10.11.11-0+deb12u1
 doc/errata/staging/mariadb.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

[5.2-1] 3809f41ca11 Bug #58102: mariadb 1:10.11.11-0+deb12u1
 doc/errata/staging/mariadb.yaml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)