Bug#961849: marked as done (mariadb-10.3: CVE-2020-2814 CVE-2020-2812 CVE-2020-2760 CVE-2020-2752)

Sat, 11 Jul 2020 04:49:09 -0700 

Your message dated Sat, 11 Jul 2020 11:47:11 +0000
with message-id <e1judyj-0005av...@fasolo.debian.org>
and subject line Bug#961849: fixed in mariadb-10.3 1:10.3.23-0+deb10u1
has caused the Debian Bug report #961849,
regarding mariadb-10.3: CVE-2020-2814 CVE-2020-2812 CVE-2020-2760 CVE-2020-2752
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
961849: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961849
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: mariadb-10.3
Version: 1:10.3.22-1
Severity: grave
Tags: security upstream
Control: found -1 1:10.3.22-0+deb10u1

Hi,

The following vulnerabilities were published for mariadb-10.3,
orthogonal to the severity we might discuss if this warrants a DSA or
rather enough to be fixed via the next point release (gut feeling is
the later).

CVE-2020-2814[0]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| InnoDB). Supported versions that are affected are 5.6.47 and prior,
| 5.7.28 and prior and 8.0.18 and prior. Easily exploitable
| vulnerability allows high privileged attacker with network access via
| multiple protocols to compromise MySQL Server. Successful attacks of
| this vulnerability can result in unauthorized ability to cause a hang
| or frequently repeatable crash (complete DOS) of MySQL Server. CVSS
| 3.0 Base Score 4.9 (Availability impacts). CVSS Vector:
| (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2020-2812[1]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| Server: Stored Procedure). Supported versions that are affected are
| 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily
| exploitable vulnerability allows high privileged attacker with network
| access via multiple protocols to compromise MySQL Server. Successful
| attacks of this vulnerability can result in unauthorized ability to
| cause a hang or frequently repeatable crash (complete DOS) of MySQL
| Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector:
| (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2020-2760[2]:
| Vulnerability in the MySQL Server product of Oracle MySQL (component:
| InnoDB). Supported versions that are affected are 5.7.29 and prior and
| 8.0.19 and prior. Easily exploitable vulnerability allows high
| privileged attacker with network access via multiple protocols to
| compromise MySQL Server. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of MySQL Server as well as
| unauthorized update, insert or delete access to some of MySQL Server
| accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability
| impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).


CVE-2020-2752[3]:
| Vulnerability in the MySQL Client product of Oracle MySQL (component:
| C API). Supported versions that are affected are 5.6.47 and prior,
| 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit
| vulnerability allows low privileged attacker with network access via
| multiple protocols to compromise MySQL Client. Successful attacks of
| this vulnerability can result in unauthorized ability to cause a hang
| or frequently repeatable crash (complete DOS) of MySQL Client. CVSS
| 3.0 Base Score 5.3 (Availability impacts). CVSS Vector:
| (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-2814
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2814
[1] https://security-tracker.debian.org/tracker/CVE-2020-2812
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2812
[2] https://security-tracker.debian.org/tracker/CVE-2020-2760
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2760
[3] https://security-tracker.debian.org/tracker/CVE-2020-2752
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2752

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: mariadb-10.3
Source-Version: 1:10.3.23-0+deb10u1
Done: =?utf-8?b?T3R0byBLZWvDpGzDpGluZW4=?= <o...@debian.org>

We believe that the bug you reported is fixed in the latest version of
mariadb-10.3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 961...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Otto Kekäläinen <o...@debian.org> (supplier of updated mariadb-10.3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 04 Jul 2020 15:31:51 +0300
Source: mariadb-10.3
Binary: libmariadb-dev libmariadbclient-dev libmariadb-dev-compat libmariadb3 
libmariadbd19 libmariadbd-dev mariadb-common mariadb-client-core-10.3 
mariadb-client-10.3 mariadb-server-core-10.3 mariadb-server-10.3 mariadb-server 
mariadb-client mariadb-backup mariadb-plugin-connect mariadb-plugin-rocksdb 
mariadb-plugin-oqgraph mariadb-plugin-tokudb mariadb-plugin-mroonga 
mariadb-plugin-spider mariadb-plugin-gssapi-server mariadb-plugin-gssapi-client 
mariadb-plugin-cracklib-password-check mariadb-test mariadb-test-data
Architecture: source
Version: 1:10.3.23-0+deb10u1
Distribution: buster
Urgency: high
Maintainer: Debian MySQL Maintainers <pkg-mysql-ma...@lists.alioth.debian.org>
Changed-By: Otto Kekäläinen <o...@debian.org>
Description:
 libmariadb-dev - MariaDB database development files
 libmariadb-dev-compat - MariaDB Connector/C, compatibility symlinks
 libmariadb3 - MariaDB database client library
 libmariadbclient-dev - MariaDB database development files (transitional 
package)
 libmariadbd-dev - MariaDB embedded database, development files
 libmariadbd19 - MariaDB embedded database, shared library
 mariadb-backup - Backup tool for MariaDB server
 mariadb-client - MariaDB database client (metapackage depending on the latest 
vers
 mariadb-client-10.3 - MariaDB database client binaries
 mariadb-client-core-10.3 - MariaDB database core client binaries
 mariadb-common - MariaDB common metapackage
 mariadb-plugin-connect - Connect storage engine for MariaDB
 mariadb-plugin-cracklib-password-check - CrackLib Password Validation Plugin 
for MariaDB
 mariadb-plugin-gssapi-client - GSSAPI authentication plugin for MariaDB client
 mariadb-plugin-gssapi-server - GSSAPI authentication plugin for MariaDB server
 mariadb-plugin-mroonga - Mroonga storage engine for MariaDB
 mariadb-plugin-oqgraph - OQGraph storage engine for MariaDB
 mariadb-plugin-rocksdb - RocksDB storage engine for MariaDB
 mariadb-plugin-spider - Spider storage engine for MariaDB
 mariadb-plugin-tokudb - TokuDB storage engine for MariaDB
 mariadb-server - MariaDB database server (metapackage depending on the latest 
vers
 mariadb-server-10.3 - MariaDB database server binaries
 mariadb-server-core-10.3 - MariaDB database core server files
 mariadb-test - MariaDB database regression test suite
 mariadb-test-data - MariaDB database regression test suite - data files
Closes: 961849
Changes:
 mariadb-10.3 (1:10.3.23-0+deb10u1) buster; urgency=high
 .
   * SECURITY UPDATE: New upstream version 10.3.23. Includes fixes for the
     following security vulnerabilities (Closes: #961849):
     - CVE-2020-2752
     - CVE-2020-2760
     - CVE-2020-2812
     - CVE-2020-2814
     - CVE-2020-13249
   * Backport upstream patch to fix regression in RocksDB ZSTD detection
     which prevents a serious bug and also autopkgtest detectable
     regression.
   * Update libmariadb symbols for upstream release 3.1.8. Upstream
     added one new symbol and it needs to be tracked in the symbols file.
Checksums-Sha1:
 9121d62cce85e40b2c89d8cc4925e856eec0b85c 4812 
mariadb-10.3_10.3.23-0+deb10u1.dsc
 c95b6d4cff5e6d63eed05da20561802b9c83e717 72582611 
mariadb-10.3_10.3.23.orig.tar.gz
 a989ae4b2613d8fdd418078f527757aa72730654 195 
mariadb-10.3_10.3.23.orig.tar.gz.asc
 1eba360573a6e252f16e9525f68fc21608249843 223744 
mariadb-10.3_10.3.23-0+deb10u1.debian.tar.xz
 67e2c5306c4c9af54892425e659f27364b61b8b5 9306 
mariadb-10.3_10.3.23-0+deb10u1_source.buildinfo
Checksums-Sha256:
 c366bb61801471ad8a4ad0491ec684de214f9dac2a26b4d402f137de51285570 4812 
mariadb-10.3_10.3.23-0+deb10u1.dsc
 fc405022457d8eec5991b870cc1c9a07b83b551d6165c414c4d8f31523aa86ae 72582611 
mariadb-10.3_10.3.23.orig.tar.gz
 641e4d384fca5a93a2382b6d522881c6076e72c201afaf8d6a470d6e9c2b6b12 195 
mariadb-10.3_10.3.23.orig.tar.gz.asc
 d447215b78567b2efa40af745fc641e47debbb8d4d304e31ba2efbb05dbbfefd 223744 
mariadb-10.3_10.3.23-0+deb10u1.debian.tar.xz
 2602dfbd065e96f9917f96d43ab1ddf608bdebbdf04b45308dbd613a9158b09d 9306 
mariadb-10.3_10.3.23-0+deb10u1_source.buildinfo
Files:
 47e2a52034e106be8f457029df2577cb 4812 database optional 
mariadb-10.3_10.3.23-0+deb10u1.dsc
 473950893d29805d9384ec0ed5d7c276 72582611 database optional 
mariadb-10.3_10.3.23.orig.tar.gz
 95c707deba220fbe16afb590e9ba933c 195 database optional 
mariadb-10.3_10.3.23.orig.tar.gz.asc
 4a24a2409464c1a54cc58054d8e9c530 223744 database optional 
mariadb-10.3_10.3.23-0+deb10u1.debian.tar.xz
 e1323209083df3bfbba30148e95ab8d2 9306 database optional 
mariadb-10.3_10.3.23-0+deb10u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEmbRSsR88dMO0U+RvvthEn87o2ogFAl8IugQACgkQvthEn87o
2oisWhAApsdtDKDgVQyV1GtIkB/C2suHAmcVZACivPHS2IohqPf+GJ4muYGkDOWl
FUQC36jXX9v7Uhsysr/LLPRi8wngH4FsaUpTdcbSh52Yo5vH9d2fsIUKbMPUL90J
IjmIcVKXr4Tk0/ulGKoT6GBSLl8rbjO/0mTWFRbpUSARMTFLK/0/tFFYKII83b3x
kNPUuDbNJSgpXl0Y4gOn/YZj/psEhh8B6RNetWv/GGxkEEvhEnEQTJVtAwM3jHOn
UDPRljDJ1z8uivYTUmWHQxS5nSAQjrRAaFJQA873OS6Ypjt/YKTkzoDnlpBp9IEg
O/XJlQ27nHKrTCvy1ph8DMecHXA3D+x29KxE+AuWx2v3XnTtO1SICvfrIU4lsbPk
IgX/Q4msDwvvpR0yUMpPASjxseKH+uSKSK8okVycgrcWeSEWjYM4+ZeuPqif3nGa
MswDtMt8fG01YLOeznQk0VaSYKzWK4cT++DWL1rawcKHgIFKgNc8k9qeN78Ejaoy
RyHPkb1xrFdRGoUnjEYdhzqEBg+PjX2KerE6RYDzbDHSWUcQ0pSV7YvJxAZnkiPZ
Wwl0OM4mctFYmJPFBiMuHAsbE/Y2vEZMyeK5wHV0k275Y8QkVDyYtgBHmmvrVcSL
jOUDx/cDfgsQUaNZyC1GkThAr/9mkV5DNARJsg5i3AOGqmmCVzs=
=p/T1
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to