Source: mariadb-10.3 Version: 1:10.3.22-1 Severity: grave Tags: security upstream Control: found -1 1:10.3.22-0+deb10u1
Hi, The following vulnerabilities were published for mariadb-10.3, orthogonal to the severity we might discuss if this warrants a DSA or rather enough to be fixed via the next point release (gut feeling is the later). CVE-2020-2814[0]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | InnoDB). Supported versions that are affected are 5.6.47 and prior, | 5.7.28 and prior and 8.0.18 and prior. Easily exploitable | vulnerability allows high privileged attacker with network access via | multiple protocols to compromise MySQL Server. Successful attacks of | this vulnerability can result in unauthorized ability to cause a hang | or frequently repeatable crash (complete DOS) of MySQL Server. CVSS | 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: | (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2020-2812[1]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | Server: Stored Procedure). Supported versions that are affected are | 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily | exploitable vulnerability allows high privileged attacker with network | access via multiple protocols to compromise MySQL Server. Successful | attacks of this vulnerability can result in unauthorized ability to | cause a hang or frequently repeatable crash (complete DOS) of MySQL | Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: | (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2020-2760[2]: | Vulnerability in the MySQL Server product of Oracle MySQL (component: | InnoDB). Supported versions that are affected are 5.7.29 and prior and | 8.0.19 and prior. Easily exploitable vulnerability allows high | privileged attacker with network access via multiple protocols to | compromise MySQL Server. Successful attacks of this vulnerability can | result in unauthorized ability to cause a hang or frequently | repeatable crash (complete DOS) of MySQL Server as well as | unauthorized update, insert or delete access to some of MySQL Server | accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability | impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). CVE-2020-2752[3]: | Vulnerability in the MySQL Client product of Oracle MySQL (component: | C API). Supported versions that are affected are 5.6.47 and prior, | 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit | vulnerability allows low privileged attacker with network access via | multiple protocols to compromise MySQL Client. Successful attacks of | this vulnerability can result in unauthorized ability to cause a hang | or frequently repeatable crash (complete DOS) of MySQL Client. CVSS | 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: | (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-2814 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2814 [1] https://security-tracker.debian.org/tracker/CVE-2020-2812 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2812 [2] https://security-tracker.debian.org/tracker/CVE-2020-2760 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2760 [3] https://security-tracker.debian.org/tracker/CVE-2020-2752 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2752 Regards, Salvatore
