Source: mariadb Version: 1:11.4.5-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for mariadb. CVE-2023-52969[0]: | MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7 | through 10.11.*, and 11.0 through 11.0.* can sometimes crash with an | empty backtrace log. This may be related to make_aggr_tables_info | and optimize_stage2. CVE-2023-52970[1]: | MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7 | through 10.11.*, 11.0 through 11.0.*, and 11.1 through 11.4.* | crashes in | Item_direct_view_ref::derived_field_transformer_for_where. CVE-2023-52971[2]: | MariaDB Server 10.10 through 10.11.* and 11.0 through 11.4.* crashes | in JOIN::fix_all_splittings_in_plan. There are related MDEV issues referenced upstream and from the limited information this seems to affect the latest versions. The MDEV are not public accessible, so can you please clarify with upstream on their status. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-52969 https://www.cve.org/CVERecord?id=CVE-2023-52969 https://jira.mariadb.org/browse/MDEV-32083 [1] https://security-tracker.debian.org/tracker/CVE-2023-52970 https://www.cve.org/CVERecord?id=CVE-2023-52970 https://jira.mariadb.org/browse/MDEV-32086 [2] https://security-tracker.debian.org/tracker/CVE-2023-52971 https://www.cve.org/CVERecord?id=CVE-2023-52971 https://jira.mariadb.org/browse/MDEV-32084 Regards, Salvatore
