Security update for mariadb

Announcement ID:	SUSE-SU-2022:2561-1
Rating:	important
References:	bsc#1195076 bsc#1195325 bsc#1195334 bsc#1195339 bsc#1196016 bsc#1198603 bsc#1198604 bsc#1198605 bsc#1198606 bsc#1198607 bsc#1198609 bsc#1198610 bsc#1198611 bsc#1198612 bsc#1198613 bsc#1198628 bsc#1198629 bsc#1198630 bsc#1198631 bsc#1198632 bsc#1198633 bsc#1198634 bsc#1198635 bsc#1198636 bsc#1198637 bsc#1198638 bsc#1198639 bsc#1198640 bsc#1199928 jsc#SLE-22245
Cross-References:	CVE-2021-46657 CVE-2021-46658 CVE-2021-46659 CVE-2021-46661 CVE-2021-46663 CVE-2021-46664 CVE-2021-46665 CVE-2021-46668 CVE-2021-46669 CVE-2022-24048 CVE-2022-24050 CVE-2022-24051 CVE-2022-24052 CVE-2022-27376 CVE-2022-27377 CVE-2022-27378 CVE-2022-27379 CVE-2022-27380 CVE-2022-27381 CVE-2022-27382 CVE-2022-27383 CVE-2022-27384 CVE-2022-27386 CVE-2022-27387 CVE-2022-27444 CVE-2022-27445 CVE-2022-27446 CVE-2022-27447 CVE-2022-27448 CVE-2022-27449 CVE-2022-27451 CVE-2022-27452 CVE-2022-27455 CVE-2022-27456 CVE-2022-27457 CVE-2022-27458
CVSS scores:	CVE-2021-46657 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-46657 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-46658 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-46658 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-46659 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-46659 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-46661 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-46661 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-46663 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-46663 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-46664 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-46665 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-46668 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-46669 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-24048 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-24050 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-24051 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-24052 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-27376 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2022-27376 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27377 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2022-27377 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27378 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2022-27378 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27379 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2022-27379 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27380 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2022-27380 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27381 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2022-27381 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27382 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2022-27382 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27383 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2022-27383 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27384 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2022-27384 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27386 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2022-27386 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27387 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-27387 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27444 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2022-27444 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27445 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2022-27445 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27446 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2022-27446 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27447 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2022-27447 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27448 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2022-27448 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27449 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2022-27449 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27451 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2022-27451 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27452 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2022-27452 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27455 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2022-27455 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27456 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2022-27456 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27457 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2022-27457 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27458 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2022-27458 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	Galera for Ericsson 15 SP4 openSUSE Leap 15.4 Server Applications Module 15-SP4 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise Real Time 15 SP4 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Manager Proxy 4.3 SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.3

An update that solves 36 vulnerabilities and contains one feature can now be installed.

Description:

This update for mariadb fixes the following issues:

• Added mariadb-galera (jsc#SLE-22245)

Update to 10.6.8 (bsc#1199928):

• CVE-2021-46669 (bsc#1199928)
• CVE-2022-27376 (bsc#1198628)
• CVE-2022-27377 (bsc#1198603)
• CVE-2022-27378 (bsc#1198604)
• CVE-2022-27379 (bsc#1198605)
• CVE-2022-27380 (bsc#1198606)
• CVE-2022-27381 (bsc#1198607)
• CVE-2022-27382 (bsc#1198609)
• CVE-2022-27383 (bsc#1198610)
• CVE-2022-27384 (bsc#1198611)
• CVE-2022-27386 (bsc#1198612)
• CVE-2022-27387 (bsc#1198613)
• CVE-2022-27444 (bsc#1198634)
• CVE-2022-27445 (bsc#1198629)
• CVE-2022-27446 (bsc#1198630)
• CVE-2022-27447 (bsc#1198631)
• CVE-2022-27448 (bsc#1198632)
• CVE-2022-27449 (bsc#1198633)
• CVE-2022-27451 (bsc#1198639)
• CVE-2022-27452 (bsc#1198640)
• CVE-2022-27455 (bsc#1198638)
• CVE-2022-27456 (bsc#1198635)
• CVE-2022-27457 (bsc#1198636)

• CVE-2022-27458 (bsc#1198637)

• The following issue is not affecting this package: CVE-2022-21427

Update to 10.6.7 (bsc#1196016):

• CVE-2021-46665, CVE-2021-46664, CVE-2021-46661, CVE-2021-46668, CVE-2021-46663

Update to 10.6.6:

• CVE-2022-24052, CVE-2022-24051, CVE-2022-24050, CVE-2022-24048, CVE-2021-46659 (bsc#1195339)

The following issues have been fixed already but didn't have CVE references:

• CVE-2021-46658 (bsc#1195334)
• CVE-2021-46657 (bsc#1195325)

Non security fixes:

• Skip failing tests for s390x, fixes bsc#1195076

External refernences:

• https://mariadb.com/kb/en/library/mariadb-1068-release-notes
• https://mariadb.com/kb/en/library/mariadb-1068-changelog
• https://mariadb.com/kb/en/library/mariadb-1067-release-notes
• https://mariadb.com/kb/en/library/mariadb-1067-changelog
• https://mariadb.com/kb/en/library/mariadb-1066-release-notes
• https://mariadb.com/kb/en/library/mariadb-1066-changelog

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.4
  zypper in -t patch openSUSE-SLE-15.4-2022-2561=1
• Server Applications Module 15-SP4
  zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP4-2022-2561=1
• Galera for Ericsson 15 SP4
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-ERICSSON-2022-2561=1

Package List:

• openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
  • mariadb-rpm-macros-10.6.8-150400.3.7.1
  • libmariadbd19-10.6.8-150400.3.7.1
  • mariadb-galera-10.6.8-150400.3.7.1
  • mariadb-test-debuginfo-10.6.8-150400.3.7.1
  • mariadb-test-10.6.8-150400.3.7.1
  • libmariadbd-devel-10.6.8-150400.3.7.1
  • mariadb-client-10.6.8-150400.3.7.1
  • mariadb-tools-10.6.8-150400.3.7.1
  • mariadb-tools-debuginfo-10.6.8-150400.3.7.1
  • mariadb-debugsource-10.6.8-150400.3.7.1
  • mariadb-bench-10.6.8-150400.3.7.1
  • mariadb-bench-debuginfo-10.6.8-150400.3.7.1
  • libmariadbd19-debuginfo-10.6.8-150400.3.7.1
  • mariadb-client-debuginfo-10.6.8-150400.3.7.1
  • mariadb-debuginfo-10.6.8-150400.3.7.1
  • mariadb-10.6.8-150400.3.7.1
• openSUSE Leap 15.4 (noarch)
  • mariadb-errormessages-10.6.8-150400.3.7.1
• Server Applications Module 15-SP4 (aarch64 ppc64le s390x x86_64)
  • libmariadbd19-10.6.8-150400.3.7.1
  • mariadb-tools-10.6.8-150400.3.7.1