Security update for mariadb

Announcement ID:	SUSE-SU-2022:3159-1
Rating:	important
References:	bsc#1200105 bsc#1201161 bsc#1201162 bsc#1201163 bsc#1201164 bsc#1201165 bsc#1201166 bsc#1201167 bsc#1201168 bsc#1201169 bsc#1201170
Cross-References:	CVE-2022-32081 CVE-2022-32082 CVE-2022-32083 CVE-2022-32084 CVE-2022-32085 CVE-2022-32086 CVE-2022-32087 CVE-2022-32088 CVE-2022-32089 CVE-2022-32091
CVSS scores:	CVE-2022-32081 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2022-32081 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-32082 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2022-32082 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-32083 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2022-32083 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-32084 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2022-32084 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-32085 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2022-32085 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-32086 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2022-32086 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-32087 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2022-32087 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-32088 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2022-32088 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-32089 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2022-32089 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-32091 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2022-32091 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	Galera for Ericsson 15 SP4 openSUSE Leap 15.4 Server Applications Module 15-SP4 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise Real Time 15 SP4 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Manager Proxy 4.3 SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.3

An update that solves 10 vulnerabilities and has one security fix can now be installed.

Description:

This update for mariadb fixes the following issues:

• Updated to 10.6.9:
• CVE-2022-32082: Fixed a reachable assertion that would crash the server (bsc#1201162).
• CVE-2022-32089: Fixed a segmentation fault that coudl be triggered via a crafted query (bsc#1201169).
• CVE-2022-32081: Fixed a buffer overflow on instant ADD/DROP of generated column (bsc#1201161).
• CVE-2022-32091: Fixed a memory corruption issue that could be triggered via a crafted query (bsc#1201170).

• CVE-2022-32084: Fixed a segmentation fault on INSERT SELECT queries (bsc#1201164).

• Additionaly, the following issues were previously fixed:

• CVE-2022-32088: Fixed a server crash when using ORDER BY with window function and UNION(bsc#1201168).
• CVE-2022-32087: Fixed a segmentation fault that could be triggered via a crafted query (bsc#1201167).
• CVE-2022-32086: Fixed a server crash on INSERT SELECT queries (bsc#1201166).
• CVE-2022-32085: Fixed a segmentation fault that could be triggered via a crafted query (bsc#1201165).
• CVE-2022-32083: Fixed a segmentation fault that could be triggered via a crafted query (bsc#1201163).

Bugfixes:

• Update mysql-systemd-helper to be aware of custom group (bsc#1200105).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.4
  zypper in -t patch openSUSE-SLE-15.4-2022-3159=1
• Server Applications Module 15-SP4
  zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP4-2022-3159=1
• Galera for Ericsson 15 SP4
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-ERICSSON-2022-3159=1

Package List:

• openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
  • mariadb-galera-10.6.9-150400.3.12.1
  • mariadb-debugsource-10.6.9-150400.3.12.1
  • libmariadbd19-10.6.9-150400.3.12.1
  • mariadb-tools-10.6.9-150400.3.12.1
  • mariadb-bench-10.6.9-150400.3.12.1
  • mariadb-test-10.6.9-150400.3.12.1
  • mariadb-test-debuginfo-10.6.9-150400.3.12.1
  • mariadb-tools-debuginfo-10.6.9-150400.3.12.1
  • mariadb-bench-debuginfo-10.6.9-150400.3.12.1
  • mariadb-10.6.9-150400.3.12.1
  • mariadb-debuginfo-10.6.9-150400.3.12.1
  • mariadb-client-debuginfo-10.6.9-150400.3.12.1
  • libmariadbd-devel-10.6.9-150400.3.12.1
  • mariadb-client-10.6.9-150400.3.12.1
  • libmariadbd19-debuginfo-10.6.9-150400.3.12.1
  • mariadb-rpm-macros-10.6.9-150400.3.12.1
• openSUSE Leap 15.4 (noarch)
  • mariadb-errormessages-10.6.9-150400.3.12.1
• Server Applications Module 15-SP4 (aarch64 ppc64le s390x x86_64)
  • mariadb-debugsource-10.6.9-150400.3.12.1
  • libmariadbd19-10.6.9-150400.3.12.1
  • mariadb-tools-10.6.9-150400.3.12.1
  • mariadb-tools-debuginfo-10.6.9-150400.3.12.1
  • mariadb-10.6.9-150400.3.12.1
  • mariadb-debuginfo-10.6.9-150400.3.12.1
  • mariadb-client-debuginfo-10.6.9-150400.3.12.1
  • libmariadbd-devel-10.6.9-150400.3.12.1
  • mariadb-client-10.6.9-150400.3.12.1
  • libmariadbd19-debuginfo-10.6.9-150400.3.12.1
• Server Applications Module 15-SP4 (noarch)
  • mariadb-errormessages-10.6.9-150400.3.12.1
• Galera for Ericsson 15 SP4 (x86_64)
  • mariadb-galera-10.6.9-150400.3.12.1

References:

• https://www.suse.com/security/cve/CVE-2022-32081.html
• https://www.suse.com/security/cve/CVE-2022-32082.html
• https://www.suse.com/security/cve/CVE-2022-32083.html
• https://www.suse.com/security/cve/CVE-2022-32084.html
• https://www.suse.com/security/cve/CVE-2022-32085.html
• https://www.suse.com/security/cve/CVE-2022-32086.html
• https://www.suse.com/security/cve/CVE-2022-32087.html
• https://www.suse.com/security/cve/CVE-2022-32088.html
• https://www.suse.com/security/cve/CVE-2022-32089.html
• https://www.suse.com/security/cve/CVE-2022-32091.html
• https://bugzilla.suse.com/show_bug.cgi?id=1200105
• https://bugzilla.suse.com/show_bug.cgi?id=1201161
• https://bugzilla.suse.com/show_bug.cgi?id=1201162
• https://bugzilla.suse.com/show_bug.cgi?id=1201163
• https://bugzilla.suse.com/show_bug.cgi?id=1201164
• https://bugzilla.suse.com/show_bug.cgi?id=1201165
• https://bugzilla.suse.com/show_bug.cgi?id=1201166
• https://bugzilla.suse.com/show_bug.cgi?id=1201167
• https://bugzilla.suse.com/show_bug.cgi?id=1201168
• https://bugzilla.suse.com/show_bug.cgi?id=1201169
• https://bugzilla.suse.com/show_bug.cgi?id=1201170