-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 From: Otto Kekäläinen <[email protected]> To: [email protected] Subject: [SECURITY] [DLA 4208-1] mariadb-10.5 security update
- ------------------------------------------------------------------------- Debian LTS Advisory DLA-4208-1 [email protected] https://www.debian.org/lts/security/ Otto Kekalainen June 04, 2025 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : mariadb-10.5 Version : 1:10.5.29-0+deb11u1 CVE ID : CVE-2025-30693 CVE-2025-30722 Debian Bug : 1099515 1105976 Vulnerabilities was discovered in MariaDB, a SQL database server compatible with MySQL. CVE-2025-30693 Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MariaDB Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DoS) of MariaDB Server as well as unauthorized update, insert or delete access to some of MariaDB Server accessible data. CVE-2025-30722 Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MariaDB Client. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MariaDB Client accessible data as well as unauthorized update, insert or delete access to some of MariaDB Client accessible data For Debian 11 bullseye, these problems have been fixed in version 1:10.5.29-0+deb11u1. This update also includes a NEWS entry about CVE-2025-30693: Fix of CVE-2025-30693, need to changes data format of innoDB format particularly variable-length encoding. Fix replace mach_write_compressed() with mach_u64_write_much_compressed(), which produces an identical encoding for 32-bit unsigned values. Any 64-bit unsigned integer that does not fit in 32 bits would be encoded as the octet 0xff followed by two the variable-length encoded 32-bit halves of the integer. This scheme is not backward compatible with older format, and may break external tools, particularly if tools read indexes on virtual columns in InnoDB undo log records. Additionally, the updates also includes bugfixes through the 10.5 maintenance branch, as detailed at: https://mariadb.com/kb/en/mariadb-10-5-29-release-notes/ We recommend that you upgrade your mariadb-10.5 packages. For the detailed security status of mariadb-10.5 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mariadb-10.5 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEmbRSsR88dMO0U+RvvthEn87o2ogFAmhAdx0ACgkQvthEn87o 2ogoJhAAm+i4wao587uvwTpPb6K2Rn054hk/jxcsY3pZAD2YfNmR69jlEH4VZXVH H9UhxVVmIQRLTcx+MUf/szb3R4hNErU6KJIAgMJTyy4TD9ZdkAakT0qkEp+wIlMy xabk66+9LHCuoKXfaIIFTJNQty+Bm0MlSN+q6mkdhv7jmMGq71j3JbolUypY9SQ6 ORo43PahBewTWril6oZE84gtzuAuvlWJJqX7kOmYhyFPOlnL6eAunmw8/Fnskd8z EjZkeQBvjolZctUrDzJZ/qr+4jBvMYX8oQ5CzByRWI6zK7yBnsFrErzBXd3dtdc/ 4q9ZbeAevJIIwCtPTOfbAR5FzqRP7hs7HmlZtkA8x5QzM6624vlO8FdIA/5K2ZS5 29FgJb2mX1wKVOvqUmiNiQzVHrj48PXZvbeL/FX5JU3ozqvnJL1AHD7KvfD7WwZA nKdwKG24Ym+kje5N7MLMvAJsaWMVQyKBEbsDuPkr+92yMl3UBsMgiTmm5mPkGDUm QZSPoA7OGt2+KBU8w5N9ZsY+TpuWg2ud/uOdvm6Sv57cHTKqXRUNwsgbG498BQtI nVQyz9QZP5hFgHhqytxTgsRGSOMc08hkv039BJq/XmREFvptI5cxw6B61ABr9s/I oADtp7rB07gHyZPGLxkR6yQpjjfE1M+3UBdAiJAhfCLEQLbTKXQ= =uoNS -----END PGP SIGNATURE-----
