CVE-2020-15180: MariaDB

To: Debian LTS <debian-lts@lists.debian.org>
Cc: Salvatore Bonaccorso <carnil@debian.org>
Subject: CVE-2020-15180: MariaDB
From: Otto Kekäläinen <otto@debian.org>
Date: Wed, 21 Oct 2020 11:25:06 +0300
Message-id: <[🔎] CAHj_TLAgUB_a9C4+8ipcssvVAbg75SK1MAx8PsKfMg5RGLPzBg@mail.gmail.com>

Hello Debian LTS team!

Regarding CVE-2020-15180 I have prepared updates for Ubuntu Trusty
(5.5), Ubuntu Bionic (10.1), Focal (10.3), Groovy (10.3) and Debian
Stretch (10.1), Buster (10.3) and Sid (10.5).

The Debian and Ubuntu security teams have already processed these and
DSA and USN are in the works.

Last thing remaining is the coordination with the Debian LTS team
about the Stretch update.

Is there somebody in the LTS team who would like to review and approve
a mariadb-10.1 1:10.1.45-0+debu1 for Stretch?

Stretch changes:
https://salsa.debian.org/mariadb-team/mariadb-10.1/-/compare/debian%2F10.1.45-0+deb9u1...stretch
QA: https://salsa.debian.org/mariadb-team/mariadb-10.1/-/pipelines/185587

Unfortunately I don't have much more info about the security issue
itself. The source diff shows some changes to the WSREP-API (Galera
cluster code). There will be more info from security@mariadb.org at
the end of the month as there is an embargo now to allow time for
mysql-galera to ship an update. MariaDB and Percona have already
released fixes.

Release notes for reference:
- https://mariadb.com/kb/en/mariadb-1056-release-notes/
- https://mariadb.com/kb/en/mariadb-10325-release-notes/
- https://mariadb.com/kb/en/mariadb-10147-release-notes/


- Otto

Reply to:

Follow-Ups:
- Re: CVE-2020-15180: MariaDB
  - From: Otto Kekäläinen <otto@debian.org>

Prev by Date: Re: CVE-2020-15180: MariaDB
Next by Date: Re: Question regarding security issues in LTS/Extended LTS packages
Previous by thread: Re: Question regarding security issues in LTS/Extended LTS packages
Next by thread: Re: CVE-2020-15180: MariaDB
Index(es):
- Date
- Thread