Debian Bug report logs -
#1053476
galera-3: CVE-2023-5157
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#1053476; Package src:galera-3.
(Wed, 04 Oct 2023 19:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>.
(Wed, 04 Oct 2023 19:51:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: galera-3
Version: 25.3.37-1
Severity: important
Tags: security upstream
Forwarded: https://jira.mariadb.org/browse/MDEV-25068
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for galera-3.
CVE-2023-5157[0]:
| A vulnerability was found in MariaDB. An OpenVAS port scan on ports
| 3306 and 4567 allows a malicious remote client to cause a denial of
| service.
Can you please investigate this further, it looks fixes are in galera
itself.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-5157
https://www.cve.org/CVERecord?id=CVE-2023-5157
[1] https://jira.mariadb.org/browse/MDEV-25068
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#1053476; Package src:galera-3.
(Thu, 05 Oct 2023 04:03:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Otto Kekäläinen <otto@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>.
(Thu, 05 Oct 2023 04:03:02 GMT) (full text, mbox, link).
Message #10 received at 1053476@bugs.debian.org (full text, mbox, reply):
Thanks for reporting this Salvatore!
Are you aware of what plans upstream has?
The Jira MDEV-25068 was fixed in Galera 26.4.12
(https://releases.galeracluster.com/galera-4.12/release-notes-galera-26.4.12.txt)
in 2022. i don't see any commits on
https://github.com/codership/galera/commits/3.x since 2022. i will
keep an eye for new upstream releases.
I can also review/merge for all Debian and Ubuntu releases still in
maintenance a patch if somebody wants to submit a Debian-specific fix
at https://salsa.debian.org/mariadb-team/galera-3/-/merge_requests. On
a quick look I did not find the 26.4.12 fix
(https://github.com/search?q=repo%3Acodership%2Fgalera+MDEV-25068&type=commits)
so I am not aware of any specific commit nor if it can be backported
to 25.3.37
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Oct 5 17:52:29 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon