An update for mariadb is now available for openEuler-20.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2021-1250 Final 1.0 1.0 2021-07-03 Initial 2021-07-03 2021-07-03 openEuler SA Tool V1.0 2021-07-03 mariadb security update An update for mariadb is now available for openEuler-20.03-LTS-SP1. MariaDB turns data into structured information in a wide array of applications, ranging from banking to websites. It is an enhanced, drop-in replacement for MySQL. MariaDB is used because it is fast, scalable and robust, with a rich ecosystem of storage engines, plugins and many other tools make it very versatile for a wide variety of use cases. Security Fix(es): A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.(CVE-2021-27928) A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in `wsrep_sst_method` allows for command injection that can be exploited by a remote attacker to execute arbitrary commands on galera cluster nodes. This threatens the system's confidentiality, integrity, and availability. This flaw affects mariadb versions before 10.1.47, before 10.2.34, before 10.3.25, before 10.4.15 and before 10.5.6.(CVE-2020-15180) An update for mariadb is now available for openEuler-20.03-LTS-SP1. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical mariadb https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1250 https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-27928 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-15180 https://nvd.nist.gov/vuln/detail/CVE-2021-27928 https://nvd.nist.gov/vuln/detail/CVE-2020-15180 openEuler-20.03-LTS-SP1 mariadb-common-10.3.9-11.oe1.aarch64.rpm mariadb-cracklib-10.3.9-11.oe1.aarch64.rpm mariadb-debugsource-10.3.9-11.oe1.aarch64.rpm mariadb-10.3.9-11.oe1.aarch64.rpm mariadb-oqgraph-engine-10.3.9-11.oe1.aarch64.rpm mariadb-embedded-10.3.9-11.oe1.aarch64.rpm mariadb-gssapi-server-10.3.9-11.oe1.aarch64.rpm mariadb-server-10.3.9-11.oe1.aarch64.rpm mariadb-devel-10.3.9-11.oe1.aarch64.rpm mariadb-server-galera-10.3.9-11.oe1.aarch64.rpm mariadb-backup-10.3.9-11.oe1.aarch64.rpm mariadb-debuginfo-10.3.9-11.oe1.aarch64.rpm mariadb-embedded-devel-10.3.9-11.oe1.aarch64.rpm mariadb-errmessage-10.3.9-11.oe1.aarch64.rpm mariadb-test-10.3.9-11.oe1.aarch64.rpm mariadb-10.3.9-11.oe1.src.rpm mariadb-gssapi-server-10.3.9-11.oe1.x86_64.rpm mariadb-oqgraph-engine-10.3.9-11.oe1.x86_64.rpm mariadb-devel-10.3.9-11.oe1.x86_64.rpm mariadb-cracklib-10.3.9-11.oe1.x86_64.rpm mariadb-debuginfo-10.3.9-11.oe1.x86_64.rpm mariadb-10.3.9-11.oe1.x86_64.rpm mariadb-errmessage-10.3.9-11.oe1.x86_64.rpm mariadb-common-10.3.9-11.oe1.x86_64.rpm mariadb-debugsource-10.3.9-11.oe1.x86_64.rpm mariadb-embedded-10.3.9-11.oe1.x86_64.rpm mariadb-server-10.3.9-11.oe1.x86_64.rpm mariadb-server-galera-10.3.9-11.oe1.x86_64.rpm mariadb-embedded-devel-10.3.9-11.oe1.x86_64.rpm mariadb-test-10.3.9-11.oe1.x86_64.rpm mariadb-backup-10.3.9-11.oe1.x86_64.rpm A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product. 2021-07-03 CVE-2021-27928 openEuler-20.03-LTS-SP1 High 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H mariadb security update 2021-07-03 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1250 A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in `wsrep_sst_method` allows for command injection that can be exploited by a remote attacker to execute arbitrary commands on galera cluster nodes. This threatens the system's confidentiality, integrity, and availability. This flaw affects mariadb versions before 10.1.47, before 10.2.34, before 10.3.25, before 10.4.15 and before 10.5.6. 2021-07-03 CVE-2020-15180 openEuler-20.03-LTS-SP1 Critical 9.0 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H mariadb security update 2021-07-03 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1250