Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1053476: galera-3: CVE-2023-5157
21 views
Skip to first unread message
Salvatore Bonaccorso
Oct 4, 2023, 4:00:05 PM10/4/23
to
Source: galera-3
Version: 25.3.37-1
Severity: important
Tags: security upstream
Forwarded: https://jira.mariadb.org/browse/MDEV-25068
X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
Hi,
The following vulnerability was published for galera-3.
CVE-2023-5157[0]:
| A vulnerability was found in MariaDB. An OpenVAS port scan on ports
| 3306 and 4567 allows a malicious remote client to cause a denial of
| service.
Can you please investigate this further, it looks fixes are in galera
itself.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-5157
https://www.cve.org/CVERecord?id=CVE-2023-5157
[1] https://jira.mariadb.org/browse/MDEV-25068
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Version: 25.3.37-1
Severity: important
Tags: security upstream
Forwarded: https://jira.mariadb.org/browse/MDEV-25068
X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
Hi,
The following vulnerability was published for galera-3.
CVE-2023-5157[0]:
| A vulnerability was found in MariaDB. An OpenVAS port scan on ports
| 3306 and 4567 allows a malicious remote client to cause a denial of
| service.
Can you please investigate this further, it looks fixes are in galera
itself.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-5157
https://www.cve.org/CVERecord?id=CVE-2023-5157
[1] https://jira.mariadb.org/browse/MDEV-25068
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Otto Kekäläinen
Oct 5, 2023, 12:10:05 AM10/5/23
to
Thanks for reporting this Salvatore!
Are you aware of what plans upstream has?
The Jira MDEV-25068 was fixed in Galera 26.4.12
(https://releases.galeracluster.com/galera-4.12/release-notes-galera-26.4.12.txt)
in 2022. i don't see any commits on
https://github.com/codership/galera/commits/3.x since 2022. i will
keep an eye for new upstream releases.
I can also review/merge for all Debian and Ubuntu releases still in
maintenance a patch if somebody wants to submit a Debian-specific fix
at https://salsa.debian.org/mariadb-team/galera-3/-/merge_requests. On
a quick look I did not find the 26.4.12 fix
(https://github.com/search?q=repo%3Acodership%2Fgalera+MDEV-25068&type=commits)
so I am not aware of any specific commit nor if it can be backported
to 25.3.37
Are you aware of what plans upstream has?
The Jira MDEV-25068 was fixed in Galera 26.4.12
(https://releases.galeracluster.com/galera-4.12/release-notes-galera-26.4.12.txt)
in 2022. i don't see any commits on
https://github.com/codership/galera/commits/3.x since 2022. i will
keep an eye for new upstream releases.
I can also review/merge for all Debian and Ubuntu releases still in
maintenance a patch if somebody wants to submit a Debian-specific fix
at https://salsa.debian.org/mariadb-team/galera-3/-/merge_requests. On
a quick look I did not find the 26.4.12 fix
(https://github.com/search?q=repo%3Acodership%2Fgalera+MDEV-25068&type=commits)
so I am not aware of any specific commit nor if it can be backported
to 25.3.37
Salvatore Bonaccorso
Oct 5, 2023, 3:50:04 PM10/5/23
to
Hi Otto,
Thanks for the quick followup.
On Wed, Oct 04, 2023 at 08:59:31PM -0700, Otto Kekäläinen wrote:
> Thanks for reporting this Salvatore!
>
> Are you aware of what plans upstream has?
We are not, basically we require your help for this report for
assessing the issue.
> The Jira MDEV-25068 was fixed in Galera 26.4.12
> (https://releases.galeracluster.com/galera-4.12/release-notes-galera-26.4.12.txt)
> in 2022. i don't see any commits on
> https://github.com/codership/galera/commits/3.x since 2022. i will
> keep an eye for new upstream releases.
>
> I can also review/merge for all Debian and Ubuntu releases still in
> maintenance a patch if somebody wants to submit a Debian-specific fix
> at https://salsa.debian.org/mariadb-team/galera-3/-/merge_requests. On
> a quick look I did not find the 26.4.12 fix
> (https://github.com/search?q=repo%3Acodership%2Fgalera+MDEV-25068&type=commits)
> so I am not aware of any specific commit nor if it can be backported
> to 25.3.37
Do you have a good upstream contact which you could reach out to ask
on more details, references to fixes, etc on the issue?
Regards,
Salvatore
Thanks for the quick followup.
On Wed, Oct 04, 2023 at 08:59:31PM -0700, Otto Kekäläinen wrote:
> Thanks for reporting this Salvatore!
>
> Are you aware of what plans upstream has?
assessing the issue.
> The Jira MDEV-25068 was fixed in Galera 26.4.12
> (https://releases.galeracluster.com/galera-4.12/release-notes-galera-26.4.12.txt)
> in 2022. i don't see any commits on
> https://github.com/codership/galera/commits/3.x since 2022. i will
> keep an eye for new upstream releases.
>
> I can also review/merge for all Debian and Ubuntu releases still in
> maintenance a patch if somebody wants to submit a Debian-specific fix
> at https://salsa.debian.org/mariadb-team/galera-3/-/merge_requests. On
> a quick look I did not find the 26.4.12 fix
> (https://github.com/search?q=repo%3Acodership%2Fgalera+MDEV-25068&type=commits)
> so I am not aware of any specific commit nor if it can be backported
> to 25.3.37
on more details, references to fixes, etc on the issue?
Regards,
Salvatore
Salvatore Bonaccorso
Nov 20, 2023, 1:30:06 AM11/20/23
to
Hi Adrian,
On Sun, Nov 19, 2023 at 11:10:04PM +0200, Adrian Bunk wrote:
> I looked at it for LTS and galera-3 is not affected:
>
> The upstream fix for MDEV-25068 is
> https://github.com/codership/galera/commit/930c016108d7086b472ad7a8b9d0f6989202b48a
> (26.4.12)
>
> This is in code that was introduced in
> https://github.com/codership/galera/commit/c27596d06a221f6c14d36759c681149964008749
> (26.4.8) which was not backported to galera-3.
>
> The introducing commit merged assign_local_addr() and assign_remote_addr()
> into assign_addresses().
>
> The fix is to catch the error when assign_addresses() throws asio::system_error.
>
> The two callsites of assign_local_addr/assign_remote_addr in the old code
> in gcomm/src/asio_tcp.cpp are already (in 26.4.7 and 25.3.37):
> try
> {
> ...
> assign_local_addr()
> assign_remote_addr()
> ...
> }
> catch (asio::system_error& e)
> {
> ...
> }
Thanks for the analysis of the issue.
Regards,
Salvatore
On Sun, Nov 19, 2023 at 11:10:04PM +0200, Adrian Bunk wrote:
>
> The upstream fix for MDEV-25068 is
> https://github.com/codership/galera/commit/930c016108d7086b472ad7a8b9d0f6989202b48a
> (26.4.12)
>
> This is in code that was introduced in
> https://github.com/codership/galera/commit/c27596d06a221f6c14d36759c681149964008749
> (26.4.8) which was not backported to galera-3.
>
> The introducing commit merged assign_local_addr() and assign_remote_addr()
> into assign_addresses().
>
> The fix is to catch the error when assign_addresses() throws asio::system_error.
>
> The two callsites of assign_local_addr/assign_remote_addr in the old code
> in gcomm/src/asio_tcp.cpp are already (in 26.4.7 and 25.3.37):
> try
> {
> ...
> assign_local_addr()
> assign_remote_addr()
> ...
> }
> catch (asio::system_error& e)
> {
> ...
> }
Thanks for the analysis of the issue.
Regards,
Salvatore
0 new messages