Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Moderate: mariadb:10.5 security, bug fix, and enhancement update

Related Vulnerabilities: CVE-2021-2154   CVE-2021-2166   CVE-2021-2372   CVE-2021-2389   CVE-2021-35604   CVE-2021-46657   CVE-2021-46658   CVE-2021-46662   CVE-2021-46666   CVE-2021-46667  

Source

Synopsis

Moderate: mariadb:10.5 security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for the mariadb:10.5 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL.

The following packages have been upgraded to a later upstream version: mariadb (10.5.13), galera (26.4.9). (BZ#2050546)

Security Fix(es):

  • mysql: Server: DML unspecified vulnerability (CPU Apr 2021) (CVE-2021-2154)
  • mysql: Server: DML unspecified vulnerability (CPU Apr 2021) (CVE-2021-2166)
  • mysql: InnoDB unspecified vulnerability (CPU Jul 2021) (CVE-2021-2372)
  • mysql: InnoDB unspecified vulnerability (CPU Jul 2021) (CVE-2021-2389)
  • mysql: InnoDB unspecified vulnerability (CPU Oct 2021) (CVE-2021-35604)
  • mariadb: Integer overflow in sql_lex.cc integer leading to crash (CVE-2021-46667)
  • mariadb: Crash in get_sort_by_table() in subquery with ORDER BY having outer ref (CVE-2021-46657)
  • mariadb: save_window_function_values triggers an abort during IN subquery (CVE-2021-46658)
  • mariadb: Crash in set_var.cc via certain UPDATE queries with nested subqueries (CVE-2021-46662)
  • mariadb: Crash caused by mishandling of a pushdown from a HAVING clause to a WHERE clause (CVE-2021-46666)
  • mariadb: No password masking in audit log when using ALTER USER <user> IDENTIFIED BY <password> command (BZ#1981332)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • mariadb-10.5-module: /etc/security/user_map.conf getting overwritten with mariadb-server upgrade (BZ#2050515)
  • mariadb-server:10.5 in centos8 stream is not shipping wsrep_sst_rsync_tunnel (BZ#2050524)
  • Galera doesn't work without 'procps-ng' package MariaDB-10.5 (BZ#2050542)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the MariaDB server daemon (mysqld) will be restarted automatically.

Affected Products

  • Red Hat Enterprise Linux for IBM z Systems 8 s390x

Fixes

  • BZ - 1951752 - CVE-2021-2154 mysql: Server: DML unspecified vulnerability (CPU Apr 2021)
  • BZ - 1951755 - CVE-2021-2166 mysql: Server: DML unspecified vulnerability (CPU Apr 2021)
  • BZ - 1981332 - mariadb: No password masking in audit log when using ALTER USER <user> IDENTIFIED BY <password> command
  • BZ - 1992303 - CVE-2021-2372 mysql: InnoDB unspecified vulnerability (CPU Jul 2021)
  • BZ - 1992309 - CVE-2021-2389 mysql: InnoDB unspecified vulnerability (CPU Jul 2021)
  • BZ - 2016101 - CVE-2021-35604 mysql: InnoDB unspecified vulnerability (CPU Oct 2021)
  • BZ - 2049294 - CVE-2021-46658 mariadb: save_window_function_values triggers an abort during IN subquery
  • BZ - 2049305 - CVE-2021-46657 mariadb: Crash in get_sort_by_table() in subquery with ORDER BY having outer ref
  • BZ - 2050019 - CVE-2021-46662 mariadb: Crash in set_var.cc via certain UPDATE queries with nested subqueries
  • BZ - 2050028 - CVE-2021-46666 mariadb: Crash caused by mishandling of a pushdown from a HAVING clause to a WHERE clause
  • BZ - 2050030 - CVE-2021-46667 mariadb: Integer overflow in sql_lex.cc integer leading to crash
  • BZ - 2050515 - mariadb-10.5-module: /etc/security/user_map.conf getting overwritten with mariadb-server upgrade [rhel-8.5.0.z]
  • BZ - 2050524 - mariadb-server:10.5 in centos8 stream is not shipping wsrep_sst_rsync_tunnel [rhel-8.5.0.z]
  • BZ - 2050542 - Galera doesn't work without 'procps-ng' package MariaDB-10.5 [rhel-8.5.0.z]
  • BZ - 2050546 - Tracker: Rebase galera package to the newest for MariaDB-10.5 (25.4.9) [rhel-8.5.0.z]

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started