[Bug 2067125] Re: CVE-2024-21096 et al affects MariaDB in Ubuntu

2024-06-19 Thread Eduardo Barretto
Thanks again Otto for preparing this package update!
As mentioned above this is now published :)

** Changed in: mariadb (Ubuntu)
   Status: New => Fix Released

** Changed in: mariadb-10.6 (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067125

Title:
  CVE-2024-21096 et al affects MariaDB in Ubuntu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb/+bug/2067125/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2067125] Re: CVE-2024-21096 et al affects MariaDB in Ubuntu

2024-06-19 Thread Launchpad Bug Tracker
This bug was fixed in the package mariadb-10.6 -
1:10.6.18-0ubuntu0.22.04.1

---
mariadb-10.6 (1:10.6.18-0ubuntu0.22.04.1) jammy-security; urgency=medium

  * Update gdb.conf to be aligned with other branches and easier to maintain
  * Update upstream signing key
  * SECURITY UPDATE: New upstream version 10.6.18 includes fixes for regressions
as noted at https://mariadb.com/kb/en/mariadb-10-6-18-release-notes/ and
also fixes the following security vulnerabilities (LP: #2067125):
- CVE-2024-21096
  * Remove libmariadb file no longer present in MariaDB Connector C v3.3
  * Fix failing build by including wsrep_sst_backup man page
  * Add patch to partially revert upstream c432c9ef (Closes: #1063738)

 -- Otto Kekäläinen   Sat, 25 May 2024 14:07:17 -0700

** Changed in: mariadb-10.6 (Ubuntu Jammy)
   Status: Fix Committed => Fix Released

** Changed in: mariadb (Ubuntu Mantic)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067125

Title:
  CVE-2024-21096 et al affects MariaDB in Ubuntu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb/+bug/2067125/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2067125] Re: CVE-2024-21096 et al affects MariaDB in Ubuntu

2024-06-19 Thread Launchpad Bug Tracker
This bug was fixed in the package mariadb - 1:10.11.8-0ubuntu0.23.10.1

---
mariadb (1:10.11.8-0ubuntu0.23.10.1) mantic-security; urgency=medium

  * Update gdb.conf to be aligned with other branches and easier to maintain
  * SECURITY UPDATE: New upstream version 10.11.8 includes fixes for regressions
as noted at https://mariadb.com/kb/en/mariadb-10-11-8-release-notes/ and
also fixes the following security vulnerabilities (LP: #2067125):
- CVE-2024-21096
  * Drop multiple patches dropped upstream, and re-import PR#2541 which had been
rebased in the original (and still open) PR.
  * Remove libmariadb file no longer present in MariaDB Connector C v3.3
  * Update client program 'mariadb' trace to match new libmariadb v3.3
  * Update server trace to include new parameters and values from 10.11.7 and .8
  * Note that upstream dropped support for pmem as Red Hat does not support it,
but we continue to use it in Ubuntu
  * Also note upstream updated the MariaDB Connector C library (libmariadb)
from v3.2 to 3.3 in this stable maintenance release, but it does not cause
any issues as the soname and list of public symbols continues to be exactly
same as before

 -- Otto Kekäläinen   Fri, 24 May 2024 22:02:01 -0700

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067125

Title:
  CVE-2024-21096 et al affects MariaDB in Ubuntu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb/+bug/2067125/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2067125] Re: CVE-2024-21096 et al affects MariaDB in Ubuntu

2024-06-19 Thread Launchpad Bug Tracker
This bug was fixed in the package mariadb - 1:10.11.8-0ubuntu0.24.04.1

---
mariadb (1:10.11.8-0ubuntu0.24.04.1) noble-security; urgency=medium

  * SECURITY UPDATE: New upstream version 10.11.8 includes fixes for regressions
as noted at https://mariadb.com/kb/en/mariadb-10-11-8-release-notes/ and
also fixes the following security vulnerabilities (LP: #2067125):
- CVE-2024-21096
  * Drop multiple patches dropped upstream, and re-import PR#2541 which had been
rebased in the original (and still open) PR.
  * Remove libmariadb file no longer present in MariaDB Connector C v3.3
  * Update client program 'mariadb' trace to match new libmariadb v3.3
  * Update server trace to include new parameters and values
  * Note that upstream dropped support for pmem as Red Hat does not support it,
but we continue to use it in Ubuntu
  * Also note upstream updated the MariaDB Connector C library (libmariadb)
from v3.2 to 3.3 in this stable maintenance release, but it does not cause
any issues as the soname and list of public symbols continues to be exactly
same as before

 -- Otto Kekäläinen   Fri, 24 May 2024 19:26:56 -0700

** Changed in: mariadb (Ubuntu Noble)
   Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-21096

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067125

Title:
  CVE-2024-21096 et al affects MariaDB in Ubuntu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb/+bug/2067125/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2067125] Re: CVE-2024-21096 et al affects MariaDB in Ubuntu

2024-06-18 Thread Eduardo Barretto
I'm publishing the update first thing tomorrow morning, so far
everything looks good.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067125

Title:
  CVE-2024-21096 et al affects MariaDB in Ubuntu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb/+bug/2067125/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2067125] Re: CVE-2024-21096 et al affects MariaDB in Ubuntu

2024-06-18 Thread Otto Kekäläinen
Updated branch links to have correct (new) naming scheme.

Thanks Dave for triggering autopkgtests. Back in January 2024 I was
still able to do it myself
(https://bugs.launchpad.net/ubuntu/+source/mariadb/+bug/2045452/comments/18),
I wonder what changed.

I now checked https://autopkgtest.ubuntu.com/results/autopkgtest-mantic-
mysql-ubuntu-
mariadb-10.11/mantic/amd64/m/mariadb/20240617_174047_0dd5c@/log.gz that
autopkgtest passed:

1478s configuration-tracing PASS
1478s smokePASS
1478s upstream PASS

This is a surprising large amount of work to do a simple security
upload, I need to think ways of automating it. It would be by far
easiest if Salsa-CI supported Ubuntu (https://salsa.debian.org/salsa-ci-
team/pipeline/-/issues/327).

** Bug watch added: salsa.debian.org/salsa-ci-team/pipeline/-/issues #327
   https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/327

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067125

Title:
  CVE-2024-21096 et al affects MariaDB in Ubuntu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb/+bug/2067125/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2067125] Re: CVE-2024-21096 et al affects MariaDB in Ubuntu

2024-06-18 Thread Eduardo Barretto
Hi Otto,

I've uploaded yesterday the 3 updates to our security-proposed ppa:
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=mariadb_filter=published_filter=

I will take a look at the autopkgtests we have in that ppa and, if
everything is looking good, I will publish it either later today or
earlier tomorrow.

One note though, on your comment you said the branches ubuntu-2* (e.g.
ubuntu-22.04) but the correct branches are the ones you sent before,
ubuntu/2* (e.g. ubuntu/22.04-jammy). Perhaps to avoid confusion in the
future, would it be better to consolidate the branches?

Thanks again for preparing those and I will let you know when it is
released or in case of issues.

** Changed in: mariadb (Ubuntu Mantic)
   Status: New => Fix Committed

** Changed in: mariadb (Ubuntu Noble)
   Status: New => Fix Committed

** Changed in: mariadb-10.6 (Ubuntu Jammy)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067125

Title:
  CVE-2024-21096 et al affects MariaDB in Ubuntu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb/+bug/2067125/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2067125] Re: CVE-2024-21096 et al affects MariaDB in Ubuntu

2024-06-18 Thread Eduardo Barretto
** Changed in: mariadb (Ubuntu Mantic)
 Assignee: (unassigned) => Eduardo Barretto (ebarretto)

** Changed in: mariadb (Ubuntu Noble)
 Assignee: (unassigned) => Eduardo Barretto (ebarretto)

** Changed in: mariadb-10.6 (Ubuntu Jammy)
 Assignee: (unassigned) => Eduardo Barretto (ebarretto)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067125

Title:
  CVE-2024-21096 et al affects MariaDB in Ubuntu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb/+bug/2067125/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2067125] Re: CVE-2024-21096 et al affects MariaDB in Ubuntu

2024-06-17 Thread Dave Jones
Triggered autopkgtests via requested link, and added targetting for
affected series (and package).

** Also affects: mariadb-10.6 (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: mariadb (Ubuntu Noble)
   Importance: Undecided
   Status: New

** Also affects: mariadb-10.6 (Ubuntu Noble)
   Importance: Undecided
   Status: New

** Also affects: mariadb (Ubuntu Mantic)
   Importance: Undecided
   Status: New

** Also affects: mariadb-10.6 (Ubuntu Mantic)
   Importance: Undecided
   Status: New

** Also affects: mariadb (Ubuntu Jammy)
   Importance: Undecided
   Status: New

** Also affects: mariadb-10.6 (Ubuntu Jammy)
   Importance: Undecided
   Status: New

** No longer affects: mariadb-10.6 (Ubuntu Mantic)

** No longer affects: mariadb-10.6 (Ubuntu Noble)

** No longer affects: mariadb (Ubuntu Jammy)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067125

Title:
  CVE-2024-21096 et al affects MariaDB in Ubuntu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb/+bug/2067125/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2067125] Re: CVE-2024-21096 et al affects MariaDB in Ubuntu

2024-06-16 Thread Otto Kekäläinen
The above MRs have been merged without further commits. We are aware
that there still is an issue with pristine-tar/xdelta3 version
compatibilities (https://salsa.debian.org/salsa-ci-
team/pipeline/-/issues/326) and we know that Ubuntu-specific
autopkgtests can't be triggered for testing anymore
(https://salsa.debian.org/mariadb-team/mariadb-
server/-/merge_requests/83). Neither is a sign of a regression in the
release itself nor a reason to postpone delivering these security
updates to users.

If you have permissions to trigger autopkgtests, please open link
https://autopkgtest.ubuntu.com/request.cgi?release=mantic=amd64=mariadb=mysql-
ubuntu/mariadb-10.11=mariadb/1:10.11.8-0ubuntu0.23.10.1~bpo23.10.1~1718530712.65e173d159a%2Bubuntu.23.10.mantic


MariaDB 10.6.18 for Ubuntu Jammy is ready at 
https://salsa.debian.org/mariadb-team/mariadb-server/-/commits/ubuntu-22.04 and 
builds pass at 
https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mariadb-10.6/+builds?build_text=_state=all

MariaDB 10.11.8 for Ubuntu Mantic is ready at
https://salsa.debian.org/mariadb-team/mariadb-
server/-/commits/ubuntu-23.10 and builds pass at
https://launchpad.net/~mysql-
ubuntu/+archive/ubuntu/mariadb-10.11/+builds?build_text=_state=all

MariaDB 10.11.8 for Ubuntu Noble is ready at
https://salsa.debian.org/mariadb-team/mariadb-
server/-/commits/ubuntu-24.04

If you find any issues, let me know and I will add commits to fix them.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067125

Title:
  CVE-2024-21096 et al affects MariaDB in Ubuntu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb/+bug/2067125/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2067125] Re: CVE-2024-21096 et al affects MariaDB in Ubuntu

2024-06-16 Thread Otto Kekäläinen
** Package changed: mariadb-10.3 (Ubuntu) => mariadb (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067125

Title:
  CVE-2024-21096 et al affects MariaDB in Ubuntu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb/+bug/2067125/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2067125] Re: CVE-2024-21096 et al affects MariaDB in Ubuntu

2024-06-12 Thread Eduardo Barretto
Hi Otto, all look good, if you are ok I will proceed with the sponsoring

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067125

Title:
  CVE-2024-21096 et al affects MariaDB in Ubuntu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb-10.3/+bug/2067125/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 2067125] Re: CVE-2024-21096 et al affects MariaDB in Ubuntu

2024-06-11 Thread Otto Kekäläinen
I was waiting for some feedback. If you have none, I will merge as-is.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067125

Title:
  CVE-2024-21096 et al affects MariaDB in Ubuntu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb-10.3/+bug/2067125/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2067125] Re: CVE-2024-21096 et al affects MariaDB in Ubuntu

2024-06-11 Thread Eduardo Barretto
Hey Otto,

sorry, I was off for a few days. So should I go ahead with the sponsor
or do you want to merge things first? Either work well for me and I can
continue with the sponsoring this week still.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067125

Title:
  CVE-2024-21096 et al affects MariaDB in Ubuntu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb-10.3/+bug/2067125/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2067125] Re: CVE-2024-21096 et al affects MariaDB in Ubuntu

2024-06-06 Thread Otto Kekäläinen
Eduardo, old notes about xdelta3/pristine-tar incompatibility in
https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/326.

Do you have any feedback about the import otherwise? I could update and
finalize it content-wise.

** Bug watch added: salsa.debian.org/salsa-ci-team/pipeline/-/issues #326
   https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/326

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067125

Title:
  CVE-2024-21096 et al affects MariaDB in Ubuntu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb-10.3/+bug/2067125/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2067125] Re: CVE-2024-21096 et al affects MariaDB in Ubuntu

2024-05-30 Thread Eduardo Barretto
Hey Otto,

sorry for the delay, the branches look good, and I could successfully build the 
package and check the diff with the PR, but I again had to bypass that issue 
with gbp not generating the orig tarball correctly.
I'm investigating this issue a bit more to see what is going on.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067125

Title:
  CVE-2024-21096 et al affects MariaDB in Ubuntu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb-10.3/+bug/2067125/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2067125] Re: CVE-2024-21096 et al affects MariaDB in Ubuntu

2024-05-27 Thread Eduardo Barretto
Hi Otto,

Thanks for preparing the updates!
I will be taking a look at the PRs between today and tomorrow

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067125

Title:
  CVE-2024-21096 et al affects MariaDB in Ubuntu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb-10.3/+bug/2067125/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2067125] Re: CVE-2024-21096 et al affects MariaDB in Ubuntu

2024-05-26 Thread Otto Kekäläinen
https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/84
(Prepare MariaDB Server 1:10.6.18-0ubuntu0.22.04.1 for upload to Ubuntu)

Let's focus on the review (and fixes) in the first MR!82 first, and only
after it is uploaded and everything went fine proceed with the two
others.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067125

Title:
  CVE-2024-21096 et al affects MariaDB in Ubuntu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb-10.3/+bug/2067125/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2067125] Re: CVE-2024-21096 et al affects MariaDB in Ubuntu

2024-05-25 Thread Otto Kekäläinen
https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/83
(Prepare MariaDB Server 1:10.11.8-0ubuntu0.23.10.1 for upload to Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067125

Title:
  CVE-2024-21096 et al affects MariaDB in Ubuntu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb-10.3/+bug/2067125/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2067125] Re: CVE-2024-21096 et al affects MariaDB in Ubuntu

2024-05-24 Thread Otto Kekäläinen
Unlike previous times such as LP#2045452, this time I am trying a new
way to ask for review at https://salsa.debian.org/mariadb-team/mariadb-
server/-/merge_requests/82 (Prepare MariaDB Server
1:10.11.8-0ubuntu0.24.04.1 for upload to Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067125

Title:
  CVE-2024-21096 et al affects MariaDB in Ubuntu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb-10.3/+bug/2067125/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs