The following announcement comes from the MariaDB package maintainers today (as it is released on Debian).
I just want to draw the attention of the Virtualmin team to this, lest it causes some unexpected behavior.
I read the announcement but couldn’t do an evaluation myself how important it could be, because I don’t know how the backup feature internally works in Virtualmin.
Thank you for your kind attention.
@Ilia @Joe
mariadb-10.5 (1:10.5.26-0+deb11u1) bullseye; urgency=medium
Fixes related to CVE-2024-21096 may break forwards and backwards
compatibility on in certain situations when doing logical backup and restore
with plain SQL files (e.g. when using `mariadb-dump` or `mysqldump`).
The MariaDB client now has the command-line option `--sandbox` and the
MariaDB client database prompt command `\-`. This enables sandbox mode for
the rest of the session, until disconnected. Once in sandbox mode, any
command that could do something on the shell is disabled.
Additionally `mariadb-dump` now adds the following command inside a comment
at the very top of the logical SQL file to trigger sandbox mode:
/*M!999999\- enable the sandbox mode */
Newer version of MariaDB clients strip away the backslash and dash (\-), and
then tries to execute the internal command with a dash. However, importing
a SQL dump from a newer version on an older version will result in an error:
$ mariadb --version
mariadb Ver 15.1 Distrib 10.5.23-MariaDB, for debian-linux-gnu (x86_64) using EditLine wrapper
$ mariadb -e '/*M!999999\- enable the sandbox mode */'
ERROR at line 1: Unknown command '\-'.
Importing new logical SQL dumps on old software versions is not advised for
potential other compatibility reasons either, so this scenario is likely rare.
Users are best protected from both security issues and interoperability
issues by using the latest `mariadb-dump` shipped in MariaDB 11.4.3, 10.11.9,
10.6.19 and 10.5.26. The CVE-2024-21096 was officially fixed already in
11.4.2, but the latest batch of MariaDB minor maintenance releases include
further improvements on the sandbox mode.
Note that the `mariadb-dump` can be used to make the logical backups from
both MariaDB and MySQL servers. Also the `mariadb` client program can connect
to both MariaDB and MySQL servers and import those SQL dump files.
Further details about what kind of security issues injecting shell commands
into a logical SQL dump may pose and how to protect against them can be found
in:
* https://jfg-mysql.blogspot.com/2024/06/trusting-mysqldump-and-insecure-client-lead-to-remote-code-execution.html
* https://mariadb.org/mariadb-dump-file-compatibility-change/
-- Otto Kekäläinen <otto@debian.org> Tue, 06 Aug 2024 22:11:24 +0000