mariadb:10.3 security, bug fix, and enhancement update

エラータID: AXSA:2021-1477:01

Release date: 
Tuesday, February 16, 2021 - 09:18
Subject: 
mariadb:10.3 security, bug fix, and enhancement update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

MariaDB is a multi-user, multi-threaded SQL database server that is binary
compatible with MySQL.

The following packages have been upgraded to a later upstream version: mariadb
(10.3.27), galera (25.3.31).

Security Fix(es):

mariadb: Insufficient SST method name check leading to code injection in
mysql-wsrep (CVE-2020-15180)
mysql: InnoDB unspecified vulnerability (CPU Oct 2019) (CVE-2019-2938)
mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2019)
(CVE-2019-2974)
mysql: C API unspecified vulnerability (CPU Apr 2020) (CVE-2020-2752)
mysql: InnoDB unspecified vulnerability (CPU Apr 2020) (CVE-2020-2760)
mysql: Server: DML unspecified vulnerability (CPU Apr 2020) (CVE-2020-2780)
mysql: Server: Stored Procedure unspecified vulnerability (CPU Apr 2020)
(CVE-2020-2812)
mysql: InnoDB unspecified vulnerability (CPU Apr 2020) (CVE-2020-2814)
mariadb-connector-c: Improper validation of content in a OK packet received
from server (CVE-2020-13249)
mysql: Server: FTS unspecified vulnerability (CPU Oct 2020) (CVE-2020-14765)
mysql: InnoDB unspecified vulnerability (CPU Oct 2020) (CVE-2020-14776)
mysql: Server: FTS unspecified vulnerability (CPU Oct 2020) (CVE-2020-14789)
mysql: Server: Locking unspecified vulnerability (CPU Oct 2020)
(CVE-2020-14812)
mysql: C API unspecified vulnerability (CPU Jan 2020) (CVE-2020-2574)

CVE(s):

CVE-2019-2938
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2019-2974
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2020-2574
Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
CVE-2020-2752
Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.47 and prior, 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2020-2760
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
CVE-2020-2780
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2020-2812
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2020-2814
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.6.47 and prior, 5.7.28 and prior and 8.0.18 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2020-13249
libmariadb/mariadb_lib.c in MariaDB Connector/C before 3.1.8 does not properly validate the content of an OK packet received from a server. NOTE: although mariadb_lib.c was originally based on code shipped for MySQL, this issue does not affect any MySQL components supported by Oracle.
CVE-2020-14765
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS). Supported versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2020-14776
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2020-14789
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS). Supported versions that are affected are 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2020-14812
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Locking). Supported versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2020-15180
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2021-2022
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.6.50 and prior, 5.7.32 and prior and 8.0.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

Bug Fix(es):

FTBFS: -D_GLIBCXX_ASSERTIONS
Queries with entity_id IN ('1', '2', …, '70000') run much slower in MariaDB
10.3 than on MariaDB 10.1
Cleanup race with wsrep_rsync_sst_tunnel may prevent full galera cluster
bootstrap
There are undeclared file conflicts in several mariadb and mysql packages

Modularity name: mariadb
Stream name: 10.3

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. asio-1.10.8-7.module+el8+1182+3f22d48b.src.rpm
    MD5: 3324e84eed7c9c0c89c139cbaa99b39b
    SHA-256: 0ba4b612cc796c0fa34a9a1824272596239b54116d4a8f53a87aa5dfd81aeeb4
    Size: 0.99 MB
  2. galera-25.3.31-1.module+el8+1182+3f22d48b.src.rpm
    MD5: 2e6f8acd530ec07cd55478b06a421796
    SHA-256: 18568039227af5febfa1c5ec2ea3d6dac9174a3af153bdfd6d65e8a11489dfa4
    Size: 3.23 MB
  3. Judy-1.0.5-18.module+el8+1182+3f22d48b.src.rpm
    MD5: 3f4612049d1640c17d28d6a9615a658e
    SHA-256: 104818dbc3ca8bba56d20afde482c2cdf5b890f3834251fd97b2d8f7a1b7bf1d
    Size: 1.10 MB
  4. mariadb-10.3.27-3.module+el8+1182+3f22d48b.src.rpm
    MD5: 26a57149f5291710c5353931befaa804
    SHA-256: af13206584e580b8563abee264ae18a20a55ea0c611d71fc79369dedf6813d22
    Size: 64.08 MB

Asianux Server 8 for x86_64
  1. galera-25.3.31-1.module+el8+1182+3f22d48b.x86_64.rpm
    MD5: 39c1b339e2616be61cce84ebcc454ea0
    SHA-256: 6f26cdff6672e4d9152a7097e27867457101360f67bc5ac85b8a8ca60e3fcc86
    Size: 1.32 MB
  2. galera-debugsource-25.3.31-1.module+el8+1182+3f22d48b.x86_64.rpm
    MD5: 9e1280dcc45cb68e8f3e4ae7084ffcaa
    SHA-256: 690f2ab62180d37cb536936a89129526e1a9c3086241b69b1351a2a543008e0f
    Size: 461.01 kB
  3. Judy-1.0.5-18.module+el8+1182+3f22d48b.x86_64.rpm
    MD5: a8be85105a10b0ae16215d57c1601a74
    SHA-256: 4b0053ff3610b88e5b276f339431d43b979fb24663f7f4c5636c82318ca6ec32
    Size: 129.08 kB
  4. Judy-debugsource-1.0.5-18.module+el8+1182+3f22d48b.x86_64.rpm
    MD5: 1e76dd4d1bcaa49a15647aba8f95864c
    SHA-256: 01bff6630efc00899116023eaad64e0409cc2222805680dd58d1a686add63d1f
    Size: 157.64 kB
  5. mariadb-10.3.27-3.module+el8+1182+3f22d48b.x86_64.rpm
    MD5: befb0aaeca074678eed9d716e8443eb1
    SHA-256: 92947f2f124f5dca15be4af3f6519faa17850f51dfec8bbc3e49365fb4c429b6
    Size: 6.01 MB
  6. mariadb-backup-10.3.27-3.module+el8+1182+3f22d48b.x86_64.rpm
    MD5: d739a168c045038c8512bd17ab8059e0
    SHA-256: 10faafa1b886759b144241d83e738260a6e5cfe855e4e74257649bbd31fc4740
    Size: 6.04 MB
  7. mariadb-common-10.3.27-3.module+el8+1182+3f22d48b.x86_64.rpm
    MD5: 17cfbc020a67e8e4ad910a502021597a
    SHA-256: 9cd1f4d32343834f2101f3e3320527a63ae1b8755298c6ef693af5f46b838113
    Size: 62.33 kB
  8. mariadb-debugsource-10.3.27-3.module+el8+1182+3f22d48b.x86_64.rpm
    MD5: 9e89a338c6ca2b4460aec7ced4b17979
    SHA-256: 2429dfc7a7fc868e072d41aa6c8c9b1d5f2474a41d9f5e484d10872a323707c7
    Size: 9.10 MB
  9. mariadb-devel-10.3.27-3.module+el8+1182+3f22d48b.x86_64.rpm
    MD5: 1ba36bbc0aecb780c82091dc28f0ff85
    SHA-256: 5485a93964d7dae3c985aaaa51953f55e9a74a4849eadc13593264dcbdc18423
    Size: 1.05 MB
  10. mariadb-embedded-10.3.27-3.module+el8+1182+3f22d48b.x86_64.rpm
    MD5: 747c4307c7ba9f818f41df8cdd8afed8
    SHA-256: 6feaf6c986617ffb95d716d4d72cdfbc8d36bbb96429967df35fe13034c806dc
    Size: 4.94 MB
  11. mariadb-embedded-devel-10.3.27-3.module+el8+1182+3f22d48b.x86_64.rpm
    MD5: e6818d05ee5cc81f7ceab28b85520463
    SHA-256: c59b3d51fde19425c5b9ab141b7b1177dbe9e27f6ed1c6237a118d578b68732c
    Size: 42.88 kB
  12. mariadb-errmsg-10.3.27-3.module+el8+1182+3f22d48b.x86_64.rpm
    MD5: a9a9e445f4d56e41ff5c3f84f4d74437
    SHA-256: 23f271f324f4082b4daaf4ecc51d6cd1ef505cf5735ae1e3085755042f321e9d
    Size: 232.60 kB
  13. mariadb-gssapi-server-10.3.27-3.module+el8+1182+3f22d48b.x86_64.rpm
    MD5: adabf577533c3b17d87c2d773c70a596
    SHA-256: ce5bf5da5093526b880973aabaedcac64ad2cfdec71a59ce75ecf616e003f41f
    Size: 49.69 kB
  14. mariadb-oqgraph-engine-10.3.27-3.module+el8+1182+3f22d48b.x86_64.rpm
    MD5: b758e27d21e1dc8c3b10b13e6f243c8e
    SHA-256: 59065a346cf03adf0bbf249078a35d2e19553e6fea4a4531eb9a829eb7bb9eaf
    Size: 112.08 kB
  15. mariadb-server-10.3.27-3.module+el8+1182+3f22d48b.x86_64.rpm
    MD5: d6a9c1ef3c17e4219cf4a161f4a618e3
    SHA-256: f233802bc56f5ca0dd1d2286ff27b964b470a9d49afeb3237d4ba87153561adf
    Size: 16.13 MB
  16. mariadb-server-galera-10.3.27-3.module+el8+1182+3f22d48b.x86_64.rpm
    MD5: 1d5771e55982e1a0fa54174b064bf2a5
    SHA-256: 5691340aa542eb4f4e03f6ea0a2bccfe7d7cc77c4dd886ec83731fb4286bb816
    Size: 59.49 kB
  17. mariadb-server-utils-10.3.27-3.module+el8+1182+3f22d48b.x86_64.rpm
    MD5: 69dfac3f2e654fe8e5e90a95eb1a307a
    SHA-256: 1de4b5235ad6385982239a743bf9b36bcae996af6d68ce75b4a4c4f4802e71c3
    Size: 1.14 MB
  18. mariadb-test-10.3.27-3.module+el8+1182+3f22d48b.x86_64.rpm
    MD5: b8b0eb42a3b376ede6ea5271e724f6a2
    SHA-256: a4ac1b3490ecd19eb48f4ab86d95a83c40d09ee86f228328c2f4a987acf908e1
    Size: 36.83 MB