Bug#1100437: marked as done (mariadb: CVE-2023-52969 CVE-2023-52970 CVE-2023-52971)

[Debian Bug Tracking System]

Your message dated Sun, 08 Jun 2025 12:25:52 +0000
with message-id <e1uof60-005ktz...@fasolo.debian.org>
and subject line Bug#1100437: fixed in mariadb 1:11.8.2-1
has caused the Debian Bug report #1100437,
regarding mariadb: CVE-2023-52969 CVE-2023-52970 CVE-2023-52971
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1100437: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100437
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: mariadb
Version: 1:11.4.5-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerabilities were published for mariadb.

CVE-2023-52969[0]:
| MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7
| through 10.11.*, and 11.0 through 11.0.* can sometimes crash with an
| empty backtrace log. This may be related to make_aggr_tables_info
| and optimize_stage2.


CVE-2023-52970[1]:
| MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7
| through 10.11.*, 11.0 through 11.0.*, and 11.1 through 11.4.*
| crashes in
| Item_direct_view_ref::derived_field_transformer_for_where.


CVE-2023-52971[2]:
| MariaDB Server 10.10 through 10.11.* and 11.0 through 11.4.* crashes
| in JOIN::fix_all_splittings_in_plan.

There are related MDEV issues referenced upstream and from the limited
information this seems to affect the latest versions. The MDEV are not
public accessible, so can you please clarify with upstream on their
status.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-52969
    https://www.cve.org/CVERecord?id=CVE-2023-52969
    https://jira.mariadb.org/browse/MDEV-32083
[1] https://security-tracker.debian.org/tracker/CVE-2023-52970
    https://www.cve.org/CVERecord?id=CVE-2023-52970
    https://jira.mariadb.org/browse/MDEV-32086
[2] https://security-tracker.debian.org/tracker/CVE-2023-52971
    https://www.cve.org/CVERecord?id=CVE-2023-52971
    https://jira.mariadb.org/browse/MDEV-32084

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: mariadb
Source-Version: 1:11.8.2-1
Done: Otto Kekäläinen <o...@debian.org>

We believe that the bug you reported is fixed in the latest version of
mariadb, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1100...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Otto Kekäläinen <o...@debian.org> (supplier of updated mariadb package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 08 Jun 2025 11:19:07 +0300
Source: mariadb
Architecture: source
Version: 1:11.8.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian MySQL Maintainers <pkg-mysql-ma...@lists.alioth.debian.org>
Changed-By: Otto Kekäläinen <o...@debian.org>
Closes: 1100437 1105976
Changes:
 mariadb (1:11.8.2-1) unstable; urgency=medium
 .
   * New upstream version 11.8.2, which also announces the 11.8 series now
     ready for general availability (GA) with security releases for 5 years.
     This release includes fixes for several defects as noted at
     https://mariadb.com/kb/en/mariadb-11-8-2-release-notes/ as well
     the following security issues (Closes: #1100437, #1105976):
     - CVE-2023-52969
     - CVE-2023-52970
     - CVE-2023-52971
     - CVE-2025-30693
     - CVE-2025-30722
   * Drop all RocksDB patches now upstream due to update to version 6.29fb
   * Drop PCRE2 10.45 compatibility patch obsoleted by upstream test change
   * Update configuration traces to include new upstream system variables:
     - innodb-buffer-pool-size-auto-min (default: 0)
     - innodb-buffer-pool-size-max (default: 0)
     - innodb-log-checkpoint-now (default: FALSE)
   * Also update configuration traces to match that in 11.8.2 the variables
     innodb-buffer-pool-chunk-size and innodb-log-spin-wait-delay are advertised
     as deprecated.
   * Disable new unreliable test main.mysql-interactive
   * Add Breaks/Replaces for files moved around in src:mysql-8.4 (LP: #2110378)
   * Update mariadb-server.NEWS with information about MariaDB 11.8 and
   * best practices for creating app user and allowing remote connections
   * Add patch to improve output from mariadb-secure-installation
Checksums-Sha1:
 ed339a221cf52de90f6958fa6a74091be7cbbd8a 5621 mariadb_11.8.2-1.dsc
 9acdcf7eb483119a5feeb98baf7683801a9e320a 116456706 mariadb_11.8.2.orig.tar.gz
 d9e14b014bf5e67813bd76e85a4b3940db1fb23a 833 mariadb_11.8.2.orig.tar.gz.asc
 64dcca07b76daf6977a7fbd881b210e9e9e79733 288420 mariadb_11.8.2-1.debian.tar.xz
 7b02ba7e3aff258c0dd32e727add6319c8a85985 13326 
mariadb_11.8.2-1_source.buildinfo
Checksums-Sha256:
 9a75acb660028c03c52565f4a2865451b64aa8ae41ee8c7929eff8d012917324 5621 
mariadb_11.8.2-1.dsc
 b2162cdf5e9317d8a8621cbeda83999324fc0ac8944210e14abb5fe0a9fea3ef 116456706 
mariadb_11.8.2.orig.tar.gz
 dc2b87a87f4fc88d89e23887f2cbeed368f2f613a52bfcc65a194e770a2512e5 833 
mariadb_11.8.2.orig.tar.gz.asc
 aeb863d249a95354c8e7f725e8066a45e25cf4ac947d68f23132885be9ad26cc 288420 
mariadb_11.8.2-1.debian.tar.xz
 8e8382ddfed1cc00db9e9b3cc1f71c04eb84f4c4781a497a377b84a52aedc659 13326 
mariadb_11.8.2-1_source.buildinfo
Files:
 13e6d6efe73b16599e80ef0ee8d5e66d 5621 database optional mariadb_11.8.2-1.dsc
 35262439b205a4d4125a058ea503ee49 116456706 database optional 
mariadb_11.8.2.orig.tar.gz
 912cc0a7d6bb232c658ea19b123d3edb 833 database optional 
mariadb_11.8.2.orig.tar.gz.asc
 73e239a2ed4c61c189307c4d09902af4 288420 database optional 
mariadb_11.8.2-1.debian.tar.xz
 06bb95b57b68c6ca19a879267c41d875 13326 database optional 
mariadb_11.8.2-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEmbRSsR88dMO0U+RvvthEn87o2ogFAmhFe0AACgkQvthEn87o
2ohB+w/6A7mvCdp5uWHfMhGcaoch5aNhZWCESQYqsbapvu9VV9gV+gCAYvXN9Y+j
xURIWYP/K7o6iTOvypwFromA+86UXQNZ2n1kuEpOJB4TjcarCbuKcqYxgrtVUi4F
uoyRGfhGtbLvW0wGhOA8geUpgJ00kpviAUrDA8fO3Jn8L/g79piCIHalZs19QAYm
lahNE/tLcn3054zROl48BxO4TKOqunE9mmDLVc5VGfAnKyQ0MDJBqAXnQXuI71KY
zUPw5N9s8NV7BDW7uNV/s/H1dIvqbOd5zZcUOFvSTy9PYCkTSA0AELTGIz4DuB8k
F+SjAbsVXJnfc7tWOSw3yeLkkZZkjDslSYfn0Z8tyXY8dRTEKlleMI19lfmlZJie
VHhXoMnNbtFxyJ5I9OGuluLnR+ku99tSZY82YYLE+rR7oBzBJouK4t1Y78SqO1Au
pVXqgWQVsy+b6E83swexkasTK03H18sy0D2VAkNtJn4mpOzdl+YL9UrMidwbaHP9
uX/Iyvm8eWS9b+/iPlGJJw6zgveG8pzi/8GswTn7lIIe+RDpT8RPkXNJ4Mws53qb
ighSBlV8+2niF1oKtds08zAZtTh6cVATSt54ic/xa1vxfrrovfdnsocZ4iIzPATi
EIYAOHYSiLpG49axSx7feYRRfujNuYfRb47Ts6ulM9EmUlRVcO4=
=clJ7
-----END PGP SIGNATURE-----

pgp94jVXBXle9.pgp
Description: PGP signature

--- End Message ---