Bug#961849: marked as done (mariadb-10.3: CVE-2020-2814 CVE-2020-2812 CVE-2020-2760 CVE-2020-2752)

Sun, 05 Jul 2020 23:52:10 -0700 

Your message dated Mon, 06 Jul 2020 06:48:43 +0000
with message-id <e1jskvj-0005m5...@fasolo.debian.org>
and subject line Bug#961849: fixed in mariadb-10.3 1:10.3.23-1
has caused the Debian Bug report #961849,
regarding mariadb-10.3: CVE-2020-2814 CVE-2020-2812 CVE-2020-2760 CVE-2020-2752
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
961849: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961849
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: mariadb-10.3
Version: 1:10.3.22-1
Severity: grave
Tags: security upstream
Control: found -1 1:10.3.22-0+deb10u1

Hi,

The following vulnerabilities were published for mariadb-10.3,
orthogonal to the severity we might discuss if this warrants a DSA or
rather enough to be fixed via the next point release (gut feeling is
the later).

CVE-2020-2814[0]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| InnoDB). Supported versions that are affected are 5.6.47 and prior,
| 5.7.28 and prior and 8.0.18 and prior. Easily exploitable
| vulnerability allows high privileged attacker with network access via
| multiple protocols to compromise MySQL Server. Successful attacks of
| this vulnerability can result in unauthorized ability to cause a hang
| or frequently repeatable crash (complete DOS) of MySQL Server. CVSS
| 3.0 Base Score 4.9 (Availability impacts). CVSS Vector:
| (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2020-2812[1]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Stored Procedure). Supported versions that are affected are
| 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily
| exploitable vulnerability allows high privileged attacker with network
| access via multiple protocols to compromise MySQL Server. Successful
| attacks of this vulnerability can result in unauthorized ability to
| cause a hang or frequently repeatable crash (complete DOS) of MySQL
| Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector:
| (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2020-2760[2]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| InnoDB). Supported versions that are affected are 5.7.29 and prior and
| 8.0.19 and prior. Easily exploitable vulnerability allows high
| privileged attacker with network access via multiple protocols to
| compromise MySQL Server. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of MySQL Server as well as
| unauthorized update, insert or delete access to some of MySQL Server
| accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability
| impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).


CVE-2020-2752[3]:
| Vulnerability in the MySQL Client product of Oracle MySQL (component:
| C API). Supported versions that are affected are 5.6.47 and prior,
| 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit
| vulnerability allows low privileged attacker with network access via
| multiple protocols to compromise MySQL Client. Successful attacks of
| this vulnerability can result in unauthorized ability to cause a hang
| or frequently repeatable crash (complete DOS) of MySQL Client. CVSS
| 3.0 Base Score 5.3 (Availability impacts). CVSS Vector:
| (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-2814
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2814
[1] https://security-tracker.debian.org/tracker/CVE-2020-2812
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2812
[2] https://security-tracker.debian.org/tracker/CVE-2020-2760
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2760
[3] https://security-tracker.debian.org/tracker/CVE-2020-2752
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2752

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: mariadb-10.3
Source-Version: 1:10.3.23-1
Done: =?utf-8?b?T3R0byBLZWvDpGzDpGluZW4=?= <o...@debian.org>

We believe that the bug you reported is fixed in the latest version of
mariadb-10.3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 961...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Otto Kekäläinen <o...@debian.org> (supplier of updated mariadb-10.3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 05 Jul 2020 21:28:11 +0300
Source: mariadb-10.3
Binary: libmariadb-dev libmariadbclient-dev libmariadb-dev-compat libmariadb3 
libmariadbd19 libmariadbd-dev mariadb-common mariadb-client-core-10.3 
mariadb-client-10.3 mariadb-server-core-10.3 mariadb-server-10.3 mariadb-server 
mariadb-client mariadb-backup mariadb-plugin-connect mariadb-plugin-rocksdb 
mariadb-plugin-oqgraph mariadb-plugin-tokudb mariadb-plugin-mroonga 
mariadb-plugin-spider mariadb-plugin-gssapi-server mariadb-plugin-gssapi-client 
mariadb-plugin-cracklib-password-check mariadb-test mariadb-test-data
Architecture: source
Version: 1:10.3.23-1
Distribution: unstable
Urgency: medium
Maintainer: Debian MySQL Maintainers <pkg-mysql-ma...@lists.alioth.debian.org>
Changed-By: Otto Kekäläinen <o...@debian.org>
Description:
 libmariadb-dev - MariaDB database development files
 libmariadb-dev-compat - MariaDB Connector/C, compatibility symlinks
 libmariadb3 - MariaDB database client library
 libmariadbclient-dev - MariaDB database development files (transitional 
package)
 libmariadbd-dev - MariaDB embedded database, development files
 libmariadbd19 - MariaDB embedded database, shared library
 mariadb-backup - Backup tool for MariaDB server
 mariadb-client - MariaDB database client (metapackage depending on the latest 
vers
 mariadb-client-10.3 - MariaDB database client binaries
 mariadb-client-core-10.3 - MariaDB database core client binaries
 mariadb-common - MariaDB common metapackage
 mariadb-plugin-connect - Connect storage engine for MariaDB
 mariadb-plugin-cracklib-password-check - CrackLib Password Validation Plugin 
for MariaDB
 mariadb-plugin-gssapi-client - GSSAPI authentication plugin for MariaDB client
 mariadb-plugin-gssapi-server - GSSAPI authentication plugin for MariaDB server
 mariadb-plugin-mroonga - Mroonga storage engine for MariaDB
 mariadb-plugin-oqgraph - OQGraph storage engine for MariaDB
 mariadb-plugin-rocksdb - RocksDB storage engine for MariaDB
 mariadb-plugin-spider - Spider storage engine for MariaDB
 mariadb-plugin-tokudb - TokuDB storage engine for MariaDB
 mariadb-server - MariaDB database server (metapackage depending on the latest 
vers
 mariadb-server-10.3 - MariaDB database server binaries
 mariadb-server-core-10.3 - MariaDB database core server files
 mariadb-test - MariaDB database regression test suite
 mariadb-test-data - MariaDB database regression test suite - data files
Closes: 951059 961849
Changes:
 mariadb-10.3 (1:10.3.23-1) unstable; urgency=medium
 .
   [ Otto Kekäläinen ]
   * SECURITY UPDATE: New upstream version 10.3.23. Includes fixes for the
     following security vulnerabilities (Closes: #961849):
     - CVE-2020-2752
     - CVE-2020-2760
     - CVE-2020-2812
     - CVE-2020-2814
     - CVE-2020-13249
   - Includes fix for MDEV-21586: Server does not start if lc_messages setting
     was not English (Closes: #951059)
   - Backport packaging improvements from MariaDB 10.4:
     - Fix RocksDB build failure on arch riscv64
     - Amend changelog with #951059 reference
     - Properly use DH_ and DEB_ flag in d/rules
     - Detect MySQL 8.0 based on undo_001 file as *.flag is buggy in mysql-8.0
     - Make mariadb-client-10.4 Recommends libdbd-mariadb-perl as primary option
     - Update package to use debhelper level 10
     - Delete pam_mariadb_mtr.so test plugin from build completely
     - Fix minor typos in docs and in-line comments
     - Sync server stopping logic from MariaDB 10.4 preinst/postinst/postrm
     - Sync AppArmor profile handling from MariaDB 10.4
     - Sync non-functional delta from upstream 10.4
     - Simplify autopkgtest 'smoke' to be easier to debug
 .
   [ Christian Ehrhardt ]
   * Fix RocksDB build failure on arch riscv64
Checksums-Sha1:
 8470e7842b8350c0aecaba16479194be2dcaa5c2 4772 mariadb-10.3_10.3.23-1.dsc
 c95b6d4cff5e6d63eed05da20561802b9c83e717 72582611 
mariadb-10.3_10.3.23.orig.tar.gz
 a989ae4b2613d8fdd418078f527757aa72730654 195 
mariadb-10.3_10.3.23.orig.tar.gz.asc
 2094538baae00a788d52d2d1d37dd0079df0f308 219324 
mariadb-10.3_10.3.23-1.debian.tar.xz
 35093027a8a0e114b1b2d7d4d48dbcbeebcaab80 9274 
mariadb-10.3_10.3.23-1_source.buildinfo
Checksums-Sha256:
 f0fef035fc0d11ec20a856421c739be81de883e70f9ce182b7173d756afd07d6 4772 
mariadb-10.3_10.3.23-1.dsc
 fc405022457d8eec5991b870cc1c9a07b83b551d6165c414c4d8f31523aa86ae 72582611 
mariadb-10.3_10.3.23.orig.tar.gz
 641e4d384fca5a93a2382b6d522881c6076e72c201afaf8d6a470d6e9c2b6b12 195 
mariadb-10.3_10.3.23.orig.tar.gz.asc
 21e5229af4992bcb8a62807d5e86f215012bcb0ed53c84ab40028c790a87cb8d 219324 
mariadb-10.3_10.3.23-1.debian.tar.xz
 81a96f331f7bb543b8c0600bfaf5c23692952c727015f17f5a02dfb4cf02f005 9274 
mariadb-10.3_10.3.23-1_source.buildinfo
Files:
 dfc62c6b6adfa3704fc3635d54e4e285 4772 database optional 
mariadb-10.3_10.3.23-1.dsc
 473950893d29805d9384ec0ed5d7c276 72582611 database optional 
mariadb-10.3_10.3.23.orig.tar.gz
 95c707deba220fbe16afb590e9ba933c 195 database optional 
mariadb-10.3_10.3.23.orig.tar.gz.asc
 bff27ec2d459551cf01517a4961a5c97 219324 database optional 
mariadb-10.3_10.3.23-1.debian.tar.xz
 d93ab7a2a1cf7f72a6dedabbcfe99499 9274 database optional 
mariadb-10.3_10.3.23-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEmbRSsR88dMO0U+RvvthEn87o2ogFAl8Cw3oACgkQvthEn87o
2ohzyA//f7/rTz28ZmM3w2vf28wJuoiHOONs1vDmhG8hhRSSw7WzeBaY9Px1UgH1
m1+y7oNXsOkhNZCHdbRl66gp1TEU4/nRBaCci+a0wiYc22LIJWhP0+iqFdu+oR4L
HksLG3v1n2hIoT0vVxrvgQGAwRFfkDq+jS8Ynv3gHPNJvf1QgxzBCXQq0IgKP6hX
6pUiUo7XEsIGG5iNhP8W9a2VZGzGrJo1ndzzDlsrBupX1P1q2gWO6E60D8E/8vi4
s3dz/a6C8Py6jVdnooXBEh7jA7AUq+6ykDzdKQUSZUzVd3HJN3gmqIcBEu9jv3Cg
o6OwaC8p+TTbsgxfAxvZfRtAquoXGbv5L8YdpR3wnDIaCYNq0F2BeJrWdBMmKqrP
FGrYGrFOw31jFQhKBZtFSHd7wfYfH9qqAM4pis6ydUFppJWcASB8SQY/H6SOElYT
fxH/EoFOWqcrJ2dDLhYY5FMLt7iOcUF+SQV0FvaRWpP5orCCRqt433kr0lAEVYTZ
TzTdSbMmwgzsA6ii6aXQ1Xs2/feA8CJl1k5Fn4NQetf0bw3fTgtjhw4xb3XsvIij
0LOzaZBrG8rFk8OQ/k6aCLvfgtyrs6nNM5AbG5DeTYyUAMj1LbmiKH22QjCfJnGT
tE06aiPC94FEjK/1jkYaWorrfAdOW6ZV87ppAGBkB4KoivQ7cs8=
=zaAv
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to