Ubuntu
mariadb-10.3 package

USN-4250-1 also affects MariaDB

Bug #1861260 reported by Otto Kekäläinen
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mariadb-10.1 (Ubuntu)
Fix Released
High
Steve Beattie
mariadb-10.3 (Ubuntu)
Fix Released
High
Otto Kekäläinen

Bug Description

According to https://mariadb.com/kb/en/security/ the issue CVE-2020-2574 also applies for MariaDB.

I am working on updates for all maintained Ubuntu versions for MariaDB:
- mariadb-10.1 in Bionic
- mariadb-10.3 in Eoan

A new mariadb-10.3 has already been uploaded to Debian unstable and Ubuntu Focal will automatically be fixed once it syncs.

CVE References

Revision history for this message
Otto Kekäläinen (otto) wrote :

The 10.3 series update for 19.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-19.04 branch at https://salsa.debian.org/mariadb-team/mariadb-10.3/tree/ubuntu-19.04

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.3/+builds?build_text=&build_state=all

Debdiffs can be created directly from the repo like in a local clone with 'git diff <tag1>..<tag2> debian/'

Security sponsor note this: https://wiki.ubuntu.com/SecurityTeam/PublicationNotes#Sponsoring_MariaDB_Security_Updates

Revision history for this message
Otto Kekäläinen (otto) wrote :

Sorry, mean to say Ubuntu 19.10 Eoan ^

> The 10.3 series update for 19.10 is now available.
> Please use git-buildpackage to fetch and build from the ubuntu-19.10 branch at
> https://salsa.debian.org/mariadb-team/mariadb-10.3/tree/ubuntu-19.10

Revision history for this message
Otto Kekäläinen (otto) wrote :

The 10.1 series update for 18.04 is now available.

Please use git-buildpackage to fetch and build from the ubuntu-18.04 branch at https://salsa.debian.org/mariadb-team/mariadb-10.1/tree/ubuntu-18.04

The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball.

Test builds and testsuite passed on all platforms at
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.1/+builds?build_text=&build_state=all

Debdiffs can be created directly from the repo like in a local clone with 'git diff <tag1>..<tag2> debian/'

Security sponsor note this: https://wiki.ubuntu.com/SecurityTeam/PublicationNotes#Sponsoring_MariaDB_Security_Updates

Otto Kekäläinen (otto)
Changed in mariadb-10.3 (Ubuntu):
importance: Undecided → High
Changed in mariadb-10.1 (Ubuntu):
importance: Undecided → High
Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks, Otto, looking at these.

Changed in mariadb-10.1 (Ubuntu):
assignee: nobody → Steve Beattie (sbeattie)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.1 - 1:10.1.44-0ubuntu0.18.04.1

---------------
mariadb-10.1 (1:10.1.44-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.1.44 includes fixes for the
    following security vulnerabilities (LP: #1861260):
    - CVE-2020-2574
  * Limit scope of test suite to avoid unnecessary test failures

 -- Otto Kekäläinen <email address hidden> Thu, 30 Jan 2020 09:25:09 +0200

Changed in mariadb-10.1 (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mariadb-10.3 - 1:10.3.22-0ubuntu0.19.10.1

---------------
mariadb-10.3 (1:10.3.22-0ubuntu0.19.10.1) eoan-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.3.22 includes fixes for the
    following security vulnerabilities (LP: #1861260):
    - CVE-2020-2574

 -- Otto Kekäläinen <email address hidden> Wed, 29 Jan 2020 09:03:14 +0200

Changed in mariadb-10.3 (Ubuntu):
status: New → Fix Released
Revision history for this message
Otto Kekäläinen (otto) wrote :

Thanks @sbeattie!

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.