security update for mariadb SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:0631-1 Final 1 1 2023-03-06T13:14:57Z current 2023-03-06T13:14:57Z 2023-03-06T13:14:57Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z security update for mariadb This update for mariadb fixes the following issues: - CVE-2022-38791: Fixed deadlock in compress_write in extra/mariabackup/ds_compress.cc (bsc#1202863). Version update from 10.4.26 to 10.4.28 (fixes CVE-2022-38791 and CVE-2022-38791). - Update to 10.4.28: * https://mariadb.com/kb/en/library/mariadb-10428-release-notes * https://mariadb.com/kb/en/library/mariadb-10428-changelog * https://mariadb.com/kb/en/library/mariadb-10427-release-notes * https://mariadb.com/kb/en/library/mariadb-10427-changelog - Update list of skipped tests - Update mariadb.keyring The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-631,SUSE-SLE-Product-HPC-15-SP2-LTSS-2023-631,SUSE-SLE-Product-SLES-15-SP2-LTSS-2023-631,SUSE-SLE-Product-SLES_SAP-15-SP2-2023-631,SUSE-Storage-7-2023-631 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20230631-1/ Link for SUSE-SU-2023:0631-1 https://lists.suse.com/pipermail/sle-security-updates/2023-March/013977.html E-Mail link for SUSE-SU-2023:0631-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1202863 SUSE Bug 1202863 https://www.suse.com/security/cve/CVE-2022-21595/ SUSE CVE CVE-2022-21595 page https://www.suse.com/security/cve/CVE-2022-38791/ SUSE CVE CVE-2022-38791 page SUSE Enterprise Storage 7 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS SUSE Linux Enterprise Server 15 SP2-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP2 libmariadbd-devel-10.4.28-150200.3.38.1 libmariadbd19-10.4.28-150200.3.38.1 mariadb-10.4.28-150200.3.38.1 mariadb-bench-10.4.28-150200.3.38.1 mariadb-client-10.4.28-150200.3.38.1 mariadb-errormessages-10.4.28-150200.3.38.1 mariadb-galera-10.4.28-150200.3.38.1 mariadb-rpm-macros-10.4.28-150200.3.38.1 mariadb-test-10.4.28-150200.3.38.1 mariadb-tools-10.4.28-150200.3.38.1 libmariadbd-devel-10.4.28-150200.3.38.1 as a component of SUSE Enterprise Storage 7 libmariadbd19-10.4.28-150200.3.38.1 as a component of SUSE Enterprise Storage 7 mariadb-10.4.28-150200.3.38.1 as a component of SUSE Enterprise Storage 7 mariadb-client-10.4.28-150200.3.38.1 as a component of SUSE Enterprise Storage 7 mariadb-errormessages-10.4.28-150200.3.38.1 as a component of SUSE Enterprise Storage 7 mariadb-tools-10.4.28-150200.3.38.1 as a component of SUSE Enterprise Storage 7 libmariadbd-devel-10.4.28-150200.3.38.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS libmariadbd19-10.4.28-150200.3.38.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS mariadb-10.4.28-150200.3.38.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS mariadb-client-10.4.28-150200.3.38.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS mariadb-errormessages-10.4.28-150200.3.38.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS mariadb-tools-10.4.28-150200.3.38.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS libmariadbd-devel-10.4.28-150200.3.38.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS libmariadbd19-10.4.28-150200.3.38.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS mariadb-10.4.28-150200.3.38.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS mariadb-client-10.4.28-150200.3.38.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS mariadb-errormessages-10.4.28-150200.3.38.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS mariadb-tools-10.4.28-150200.3.38.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS libmariadbd-devel-10.4.28-150200.3.38.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 libmariadbd19-10.4.28-150200.3.38.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 mariadb-10.4.28-150200.3.38.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 mariadb-client-10.4.28-150200.3.38.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 mariadb-errormessages-10.4.28-150200.3.38.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 mariadb-tools-10.4.28-150200.3.38.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 Vulnerability in the MySQL Server product of Oracle MySQL (component: C API). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2022-21595 SUSE Enterprise Storage 7:libmariadbd-devel-10.4.28-150200.3.38.1 SUSE Enterprise Storage 7:libmariadbd19-10.4.28-150200.3.38.1 SUSE Enterprise Storage 7:mariadb-10.4.28-150200.3.38.1 SUSE Enterprise Storage 7:mariadb-client-10.4.28-150200.3.38.1 SUSE Enterprise Storage 7:mariadb-errormessages-10.4.28-150200.3.38.1 SUSE Enterprise Storage 7:mariadb-tools-10.4.28-150200.3.38.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:libmariadbd-devel-10.4.28-150200.3.38.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:libmariadbd19-10.4.28-150200.3.38.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:mariadb-10.4.28-150200.3.38.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:mariadb-client-10.4.28-150200.3.38.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:mariadb-errormessages-10.4.28-150200.3.38.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:mariadb-tools-10.4.28-150200.3.38.1 SUSE Linux Enterprise Server 15 SP2-LTSS:libmariadbd-devel-10.4.28-150200.3.38.1 SUSE Linux Enterprise Server 15 SP2-LTSS:libmariadbd19-10.4.28-150200.3.38.1 SUSE Linux Enterprise Server 15 SP2-LTSS:mariadb-10.4.28-150200.3.38.1 SUSE Linux Enterprise Server 15 SP2-LTSS:mariadb-client-10.4.28-150200.3.38.1 SUSE Linux Enterprise Server 15 SP2-LTSS:mariadb-errormessages-10.4.28-150200.3.38.1 SUSE Linux Enterprise Server 15 SP2-LTSS:mariadb-tools-10.4.28-150200.3.38.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:libmariadbd-devel-10.4.28-150200.3.38.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:libmariadbd19-10.4.28-150200.3.38.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:mariadb-10.4.28-150200.3.38.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:mariadb-client-10.4.28-150200.3.38.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:mariadb-errormessages-10.4.28-150200.3.38.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:mariadb-tools-10.4.28-150200.3.38.1 moderate 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20230631-1/ https://www.suse.com/security/cve/CVE-2022-21595.html CVE-2022-21595 https://bugzilla.suse.com/1205469 SUSE Bug 1205469 In MariaDB before 10.9.2, compress_write in extra/mariabackup/ds_compress.cc does not release data_mutex upon a stream write failure, which allows local users to trigger a deadlock. CVE-2022-38791 SUSE Enterprise Storage 7:libmariadbd-devel-10.4.28-150200.3.38.1 SUSE Enterprise Storage 7:libmariadbd19-10.4.28-150200.3.38.1 SUSE Enterprise Storage 7:mariadb-10.4.28-150200.3.38.1 SUSE Enterprise Storage 7:mariadb-client-10.4.28-150200.3.38.1 SUSE Enterprise Storage 7:mariadb-errormessages-10.4.28-150200.3.38.1 SUSE Enterprise Storage 7:mariadb-tools-10.4.28-150200.3.38.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:libmariadbd-devel-10.4.28-150200.3.38.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:libmariadbd19-10.4.28-150200.3.38.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:mariadb-10.4.28-150200.3.38.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:mariadb-client-10.4.28-150200.3.38.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:mariadb-errormessages-10.4.28-150200.3.38.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:mariadb-tools-10.4.28-150200.3.38.1 SUSE Linux Enterprise Server 15 SP2-LTSS:libmariadbd-devel-10.4.28-150200.3.38.1 SUSE Linux Enterprise Server 15 SP2-LTSS:libmariadbd19-10.4.28-150200.3.38.1 SUSE Linux Enterprise Server 15 SP2-LTSS:mariadb-10.4.28-150200.3.38.1 SUSE Linux Enterprise Server 15 SP2-LTSS:mariadb-client-10.4.28-150200.3.38.1 SUSE Linux Enterprise Server 15 SP2-LTSS:mariadb-errormessages-10.4.28-150200.3.38.1 SUSE Linux Enterprise Server 15 SP2-LTSS:mariadb-tools-10.4.28-150200.3.38.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:libmariadbd-devel-10.4.28-150200.3.38.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:libmariadbd19-10.4.28-150200.3.38.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:mariadb-10.4.28-150200.3.38.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:mariadb-client-10.4.28-150200.3.38.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:mariadb-errormessages-10.4.28-150200.3.38.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:mariadb-tools-10.4.28-150200.3.38.1 moderate 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20230631-1/ https://www.suse.com/security/cve/CVE-2022-38791.html CVE-2022-38791 https://bugzilla.suse.com/1202863 SUSE Bug 1202863