[debian-mysql] Bug#1100437: mariadb: CVE-2023-52969 CVE-2023-52970 CVE-2023-52971
Salvatore Bonaccorso
carnil at debian.org
Thu Mar 13 21:48:19 GMT 2025
Source: mariadb
Version: 1:11.4.5-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerabilities were published for mariadb.
CVE-2023-52969[0]:
| MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7
| through 10.11.*, and 11.0 through 11.0.* can sometimes crash with an
| empty backtrace log. This may be related to make_aggr_tables_info
| and optimize_stage2.
CVE-2023-52970[1]:
| MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7
| through 10.11.*, 11.0 through 11.0.*, and 11.1 through 11.4.*
| crashes in
| Item_direct_view_ref::derived_field_transformer_for_where.
CVE-2023-52971[2]:
| MariaDB Server 10.10 through 10.11.* and 11.0 through 11.4.* crashes
| in JOIN::fix_all_splittings_in_plan.
There are related MDEV issues referenced upstream and from the limited
information this seems to affect the latest versions. The MDEV are not
public accessible, so can you please clarify with upstream on their
status.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-52969
https://www.cve.org/CVERecord?id=CVE-2023-52969
https://jira.mariadb.org/browse/MDEV-32083
[1] https://security-tracker.debian.org/tracker/CVE-2023-52970
https://www.cve.org/CVERecord?id=CVE-2023-52970
https://jira.mariadb.org/browse/MDEV-32086
[2] https://security-tracker.debian.org/tracker/CVE-2023-52971
https://www.cve.org/CVERecord?id=CVE-2023-52971
https://jira.mariadb.org/browse/MDEV-32084
Regards,
Salvatore
More information about the pkg-mysql-maint
mailing list