Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Moderate: rh-mariadb103-mariadb security and bug fix update

Related Vulnerabilities: CVE-2021-2154   CVE-2021-2166   CVE-2021-2372   CVE-2021-2389   CVE-2021-35604   CVE-2021-46657   CVE-2021-46662   CVE-2021-46666   CVE-2021-46667  

Source

Synopsis

Moderate: rh-mariadb103-mariadb security and bug fix update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for rh-mariadb103-mariadb and rh-mariadb103-galera is now available for Red Hat Software Collections.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

MariaDB is a multi-user, multi-threaded SQL database server. For all practical purposes, MariaDB is binary-compatible with MySQL.

The following packages have been upgraded to a later upstream version: rh-mariadb103-mariadb (10.3.32), rh-mariadb103-galera (25.3.34). (BZ#2050544)

Security Fix(es):

  • mysql: Server: DML unspecified vulnerability (CPU Apr 2021) (CVE-2021-2154)
  • mysql: Server: DML unspecified vulnerability (CPU Apr 2021) (CVE-2021-2166)
  • mysql: InnoDB unspecified vulnerability (CPU Jul 2021) (CVE-2021-2372)
  • mysql: InnoDB unspecified vulnerability (CPU Jul 2021) (CVE-2021-2389)
  • mysql: InnoDB unspecified vulnerability (CPU Oct 2021) (CVE-2021-35604)
  • mariadb: Integer overflow in sql_lex.cc integer leading to crash (CVE-2021-46667)
  • mariadb: Crash in get_sort_by_table() in subquery with ORDER BY having outer ref (CVE-2021-46657)
  • mariadb: Crash in set_var.cc via certain UPDATE queries with nested subqueries (CVE-2021-46662)
  • mariadb: Crash caused by mishandling of a pushdown from a HAVING clause to a WHERE clause (CVE-2021-46666)
  • mariadb: No password masking in audit log when using ALTER USER <user> IDENTIFIED BY <password> command (BZ#1981332)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • rh-mariadb103: /etc/security/user_map.conf getting overwritten with mariadb-server upgrade (BZ#2050516)
  • mysqld got signal 6, "WSREP: invalid state ROLLED_BACK (FATAL)" (BZ#2050520)
  • MariaDB logrotate leads to "gzip: stdin: file size changed while zipping" (BZ#2050538)
  • Galera doesn't work without 'procps-ng' package [rhscl-3] (BZ#2050549)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the MariaDB server daemon (mysqld) will be restarted automatically.

Affected Products

  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
  • Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
  • Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
  • Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64

Fixes

  • BZ - 1951752 - CVE-2021-2154 mysql: Server: DML unspecified vulnerability (CPU Apr 2021)
  • BZ - 1951755 - CVE-2021-2166 mysql: Server: DML unspecified vulnerability (CPU Apr 2021)
  • BZ - 1981332 - mariadb: No password masking in audit log when using ALTER USER <user> IDENTIFIED BY <password> command
  • BZ - 1992303 - CVE-2021-2372 mysql: InnoDB unspecified vulnerability (CPU Jul 2021)
  • BZ - 1992309 - CVE-2021-2389 mysql: InnoDB unspecified vulnerability (CPU Jul 2021)
  • BZ - 2016101 - CVE-2021-35604 mysql: InnoDB unspecified vulnerability (CPU Oct 2021)
  • BZ - 2049305 - CVE-2021-46657 mariadb: Crash in get_sort_by_table() in subquery with ORDER BY having outer ref
  • BZ - 2050019 - CVE-2021-46662 mariadb: Crash in set_var.cc via certain UPDATE queries with nested subqueries
  • BZ - 2050028 - CVE-2021-46666 mariadb: Crash caused by mishandling of a pushdown from a HAVING clause to a WHERE clause
  • BZ - 2050030 - CVE-2021-46667 mariadb: Integer overflow in sql_lex.cc integer leading to crash
  • BZ - 2050509 - rh-mariadb103-mariadb: With ALTER USER ...IDENTIFIED BY command, password doesn't get replaced by asterisks in mariadb audit log [rhscl-3] [rhscl-3.8.z]
  • BZ - 2050516 - rh-mariadb103: /etc/security/user_map.conf getting overwritten with mariadb-server upgrade [rhscl-3.8.z]
  • BZ - 2050520 - mysqld got signal 6, "WSREP: invalid state ROLLED_BACK (FATAL)" [rhscl-3.8.z]
  • BZ - 2050538 - MariaDB logrotate leads to "gzip: stdin: file size changed while zipping" [rhscl-3.8.z]
  • BZ - 2050544 - Tracker: Rebase galera package to the newest for MariaDB-10.3 (25.3.34) [rhscl-3.8.z]
  • BZ - 2050549 - Galera doesn't work without 'procps-ng' package [rhscl-3] [rhscl-3.8.z]

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started