[Bug 1961350] Re: CVE-2022-24048 et al affect MariaDB in Ubuntu
** Changed in: mariadb-10.6 (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961350 Title: CVE-2022-24048 et al affect MariaDB in Ubuntu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mariadb-10.3/+bug/1961350/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961350] Re: CVE-2022-24048 et al affect MariaDB in Ubuntu
This bug was fixed in the package mariadb-10.5 - 1:10.5.15-0ubuntu0.21.10.1 --- mariadb-10.5 (1:10.5.15-0ubuntu0.21.10.1) impish-security; urgency=medium * SECURITY UPDATE: New upstream version 10.5.15 includes fixes for the following security vulnerabilities (LP: #1961350): - CVE-2021-46661 - CVE-2021-46663 - CVE-2021-46664 - CVE-2021-46665 - CVE-2021-46668 * New upstream version 10.5.14. Includes security fixes for - CVE-2021-46659 - CVE-2022-24048 - CVE-2022-24050 - CVE-2022-24051 - CVE-2022-24052 * Notable upstream functional changes in 10.5.14: - New default value for innodb_change_buffering is 'none' instead of old value 'all' (MDEV-27734). This change should improve crash safety but might cause performance regressions on systems that use old spinning disks (HDD) where seek latency is higher. - New default minimum value for innodb_buffer_pool_size is 20 MB (from 2 MB) -- Otto Kekäläinen Thu, 17 Feb 2022 18:27:55 -0800 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961350 Title: CVE-2022-24048 et al affect MariaDB in Ubuntu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mariadb-10.3/+bug/1961350/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961350] Re: CVE-2022-24048 et al affect MariaDB in Ubuntu
This bug was fixed in the package mariadb-10.3 - 1:10.3.34-0ubuntu0.20.04.1 --- mariadb-10.3 (1:10.3.34-0ubuntu0.20.04.1) focal-security; urgency=medium * SECURITY UPDATE: New upstream version 10.3.34 includes fixes for the following security vulnerabilities (LP: #1961350): - CVE-2021-46661 - CVE-2021-46663 - CVE-2021-46664 - CVE-2021-46665 - CVE-2021-46668 * Previous upstream version 10.3.33 included security fixes for: - CVE-2021-46659 - CVE-2022-24048 - CVE-2022-24050 - CVE-2022-24051 - CVE-2022-24052 * Previous upstream version 10.3.32 included security fixes for: - CVE-2021-46662 - CVE-2021-46667 * Upstream version 10.3.33 was skipped as upstream pulled the release within a couple of days of release due to severe regression * Notable upstream functional changes in 10.3.33: - New default minimum value for innodb_buffer_pool_size is 20 MB (from 2 MB) -- Otto Kekäläinen Thu, 17 Feb 2022 18:15:59 -0800 ** Changed in: mariadb-10.3 (Ubuntu) Status: New => Fix Released ** Changed in: mariadb-10.5 (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961350 Title: CVE-2022-24048 et al affect MariaDB in Ubuntu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mariadb-10.3/+bug/1961350/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961350] Re: CVE-2022-24048 et al affect MariaDB in Ubuntu
Thanks Otto, no worries. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961350 Title: CVE-2022-24048 et al affect MariaDB in Ubuntu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mariadb-10.3/+bug/1961350/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961350] Re: CVE-2022-24048 et al affect MariaDB in Ubuntu
Thanks for your patience. I did review in git-citool what I committed but did a mistake in my approach and reverted the everything in debian/* changes. I didn't sleep much last night due to the breaking news last evening.. Fixed now. https://salsa.debian.org/mariadb- team/mariadb-10.5/-/compare/3ce8fe96bff98e8df92d5b03fe1f01ea29e6dcbe...ubuntu-21.10?from_project_id=52359 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961350 Title: CVE-2022-24048 et al affect MariaDB in Ubuntu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mariadb-10.3/+bug/1961350/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961350] Re: CVE-2022-24048 et al affect MariaDB in Ubuntu
Otto, I don't think your last commit makes sense either, it removed the changelog entry, etc. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961350 Title: CVE-2022-24048 et al affect MariaDB in Ubuntu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mariadb-10.3/+bug/1961350/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961350] Re: CVE-2022-24048 et al affect MariaDB in Ubuntu
Thanks Marc for the review and spotting that change. I fixed it now on https://salsa.debian.org/mariadb-team/mariadb-10.5/-/tree/ubuntu-21.10 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961350 Title: CVE-2022-24048 et al affect MariaDB in Ubuntu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mariadb-10.3/+bug/1961350/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961350] Re: CVE-2022-24048 et al affect MariaDB in Ubuntu
Hi Otto, Could you please confirm the changes to debian/additions/mariadb.conf.d/50-server.cnf in impish are reasonable? I don't see them mentioned in debian/changelog... Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961350 Title: CVE-2022-24048 et al affect MariaDB in Ubuntu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mariadb-10.3/+bug/1961350/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961350] Re: CVE-2022-24048 et al affect MariaDB in Ubuntu
The 10.5 series update for 21.10 is now available. Please use git-buildpackage to fetch and build from the ubuntu-21.04 branch at https://salsa.debian.org/mariadb- team/mariadb-10.5/tree/ubuntu-21.10 The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball. Test builds and testsuite passed on all platforms at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.5/+builds?build_text=&build_state=all Debdiffs can be created directly from the repo like in a local clone with 'git diff .. debian/' Changelog: mariadb-10.5 (1:10.5.15-0ubuntu0.21.10.1) impish-security; urgency=medium * SECURITY UPDATE: New upstream version 10.5.15 includes fixes for the following security vulnerabilities (LP: #1961350): - CVE-2021-46661 - CVE-2021-46663 - CVE-2021-46664 - CVE-2021-46665 - CVE-2021-46668 * New upstream version 10.5.14. Includes security fixes for - CVE-2021-46659 - CVE-2022-24048 - CVE-2022-24050 - CVE-2022-24051 - CVE-2022-24052 * Notable upstream functional changes in 10.5.14: - New default value for innodb_change_buffering is 'none' instead of old value 'all' (MDEV-27734). This change should improve crash safety but might cause performance regressions on systems that use old spinning disks (HDD) where seek latency is higher. - New default minimum value for innodb_buffer_pool_size is 20 MB (from 2 MB) -- Otto Kekäläinen Thu, 17 Feb 2022 18:27:55 -0800 ** Description changed: According to https://mariadb.com/kb/en/security/ the latest minor MariaDB releases include security fixes. I am working on updates for all maintained Ubuntu versions for MariaDB: - mariadb-10.3 in Focal - - mariadb-10.5 in Hirsute and Impish + - mariadb-10.5 in Impish MariaDB 10.6 in Jammy will automatically import the new version from Debian Sid once available. MariaDB 10.5 should be removed from Jammy (as already done in Debian Sid and Testing). Security sponsor note this: https://wiki.ubuntu.com/SecurityTeam/PublicationNotes#Sponsoring_MariaDB_Security_Updates -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961350 Title: CVE-2022-24048 et al affect MariaDB in Ubuntu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mariadb-10.3/+bug/1961350/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961350] Re: CVE-2022-24048 et al affect MariaDB in Ubuntu
The 10.3 series update for 20.04 is now available. Please use git-buildpackage to fetch and build from the ubuntu-20.04 branch at https://salsa.debian.org/mariadb- team/mariadb-10.3/tree/ubuntu-20.04 The repository uses pristine-tar, so there is no need to separately download the sources. You can just check the signature/SHA1SUM directly from the git-buildpackage generated tarball. Test builds and testsuite passed on all platforms at https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.3/+builds?build_text=&build_state=all Debdiffs can be created directly from the repo like in a local clone with 'git diff .. debian/' Changelog: * SECURITY UPDATE: New upstream version 10.3.34 includes fixes for the following security vulnerabilities (LP: #1961350): - CVE-2021-46661 - CVE-2021-46663 - CVE-2021-46664 - CVE-2021-46665 - CVE-2021-46668 * Previous upstream version 10.3.33 included security fixes for: - CVE-2021-46659 - CVE-2022-24048 - CVE-2022-24050 - CVE-2022-24051 - CVE-2022-24052 * Previous upstream version 10.3.32 included security fixes for: - CVE-2021-46662 - CVE-2021-46667 * Upstream version 10.3.33 was skipped as upstream pulled the release within a couple of days of release due to severe regression * Notable upstream functional changes in 10.3.33: - New default minimum value for innodb_buffer_pool_size is 20 MB (from 2 MB) -- Otto Kekäläinen Thu, 17 Feb 2022 18:15:59 -0800 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961350 Title: CVE-2022-24048 et al affect MariaDB in Ubuntu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mariadb-10.3/+bug/1961350/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs