MariaDB - Critical Vulnerability CVE-2020-13249

Discussion in 'Server Operation' started by Agent_M, May 27, 2020.

Tags:
  1. Agent_M

    Agent_M Member

    Hi,
    I received the following email yesterday from my VPS provider:
    I am using ubuntu 18.04 ( I think the mariadb version is 10.1.44? )
    1. Any advice on the best way to upgrade Mariadb?
    2. Do I just need to add the repository for a later version of mariadb? then use apt-get to install it?
    3. Do I need to remove 10.1.44 before installing new version?
    4. Do I need to reconfigure it once the new version is installed, or will it retain the settings from when I installed 10.1.44
    5. Which version of Mariadb should I install, does it matter? 10.2.32 - 10.3.23 - 10.4.13 - 10.5.3?
    6. Any other advice to help prevent any kind of data loss, or serious downtime?

    Thanks for any advice you can offer :)
     
    Agent_M, May 27, 2020
    #1
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You can see which version of mariadb you have installed:
    Code:
    apt policy mariadb-server
    And for the package that has MariaDB Connector/C:
    Code:
    apt policy libmariadb3
    If you do not have that installed, then that vulnerability should not exist on your server.
    When Ubuntu releases a patch for that vulnerability, you should be able to find news about that and instructions on how to upgrade here: https://usn.ubuntu.com/releases/ubuntu-18.04-lts/
     
    Taleman, May 27, 2020
    #2
    Agent_M likes this.
  3. Agent_M

    Agent_M Member

    mariadb-server:
    Installed: 1:10.1.44-0ubuntu0.18.04.1
    Candidate: 1:10.1.44-0ubuntu0.18.04.1
    Version table:
    *** 1:10.1.44-0ubuntu0.18.04.1 500
    500 http://au.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages
    500 http://au.archive.ubuntu.com/ubuntu bionic-updates/universe i386 Packages
    500 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages
    500 http://security.ubuntu.com/ubuntu bionic-security/universe i386 Packages
    100 /var/lib/dpkg/status
    1:10.1.29-6 500
    500 http://au.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
    500 http://au.archive.ubuntu.com/ubuntu bionic/universe i386 Packages


    libmariadb3:
    Installed: (none)
    Candidate: 3.0.3-1build1
    Version table:
    3.0.3-1build1 500
    500 http://au.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages


    So it doesn't look like that component is installed, so I'm good :)

    Thank you so much Taleman, saved me from an unnecessary upgrade :)
     
    Agent_M, May 28, 2020
    #3

Share This Page