MariaDB update comes to Debian Bullseye today

The following announcement comes from the MariaDB package maintainers today (as it is released on Debian).
I just want to draw the attention of the Virtualmin team to this, lest it causes some unexpected behavior.
I read the announcement but couldn’t do an evaluation myself how important it could be, because I don’t know how the backup feature internally works in Virtualmin.

Thank you for your kind attention.
@Ilia @Joe

mariadb-10.5 (1:10.5.26-0+deb11u1) bullseye; urgency=medium

  Fixes related to CVE-2024-21096 may break forwards and backwards
  compatibility on in certain situations when doing logical backup and restore
  with plain SQL files (e.g. when using `mariadb-dump` or `mysqldump`).

  The MariaDB client now has the command-line option `--sandbox` and the
  MariaDB client database prompt command `\-`. This enables sandbox mode for
  the rest of the session, until disconnected. Once in sandbox mode, any
  command that could do something on the shell is disabled.

  Additionally `mariadb-dump` now adds the following command inside a comment
  at the very top of the logical SQL file to trigger sandbox mode:

    /*M!999999\- enable the sandbox mode */

  Newer version of MariaDB clients strip away the backslash and dash (\-), and
  then tries to execute the internal command with a dash. However, importing
  a SQL dump from a newer version on an older version will result in an error:

    $ mariadb --version
    mariadb  Ver 15.1 Distrib 10.5.23-MariaDB, for debian-linux-gnu (x86_64) using  EditLine wrapper
    $ mariadb -e '/*M!999999\- enable the sandbox mode */'
    ERROR at line 1: Unknown command '\-'.

  Importing new logical SQL dumps on old software versions is not advised for
  potential other compatibility reasons either, so this scenario is likely rare.

  Users are best protected from both security issues and interoperability
  issues by using the latest `mariadb-dump` shipped in MariaDB 11.4.3, 10.11.9,
  10.6.19 and 10.5.26. The CVE-2024-21096 was officially fixed already in
  11.4.2, but the latest batch of MariaDB minor maintenance releases include
  further improvements on the sandbox mode.

  Note that the `mariadb-dump` can be used to make the logical backups from
  both MariaDB and MySQL servers. Also the `mariadb` client program can connect
  to both MariaDB and MySQL servers and import those SQL dump files.

  Further details about what kind of security issues injecting shell commands
  into a logical SQL dump may pose and how to protect against them can be found
  in:

  * https://jfg-mysql.blogspot.com/2024/06/trusting-mysqldump-and-insecure-client-lead-to-remote-code-execution.html
  * https://mariadb.org/mariadb-dump-file-compatibility-change/

 -- Otto Kekäläinen <otto@debian.org>  Tue, 06 Aug 2024 22:11:24 +0000

MariaDB version isn’t controlled by Virtuamin team, that’s part of the OS and there repo.

I haven’t upgraded it yet. I’m just waiting to see if problem reports start popping up. :wink:

1 Like

Of course, but Virtualmin uses the “dump” functionality, which the release note mention that it has a change that might break things.

@vending_makina I think you are right, it deserves a look over by the team just to be sure. The backup feature is incredibly important and mariadb is on all/most linux platforms.

This is more readable and I would use this to check your version if it is effected, issue seem only if you import into a unsupported version.

2 Likes

This is in deed much clearer. Thank you for sharing it.

And for the record, this latest update (on my Debian Bullseye) is a security update to mariadb-server from 10.5.23-0+deb11u1 to 10.5.26-0+deb11u2.

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.