Advisories » MGAA-2020-0228

Updated mariadb packages fix problems with mysql-connectors

Publication date: 13 Nov 2020
Type: bugfix
Affected Mageia releases : 7

Description

Emergency release of MariaDB fixes problems with buggy mysql-connectors
(PHP,Python and Java)

The previous Mageia's MariaDB 10.3.26 included a security related change:
MariaDB server became more strict about accepting network packets from the
client. It never was particularly trusting, but still there was a loophole in
the handling of prepared statements where the server just assumed that the
client sends the correct data. Not anymore, since early November the server
strictly validates all incoming packets and rejects invalid ones. This made
the server more secure against malicious clients intentionally sending specially
crafted invalid packets.

Alas, it turned out that some popular connectors routinely send invalid
packets violating protocol specifications. Among those connectors are old
versions of the mysqlnd in PHP (fixed in PHP 7.3) and all versions of
mysql-connector-python and mysql-connector-j.
Luckily, mysql-connector-c implements the protocol correctly according to the
specifications.

But regardless of where the bug is, from the user point of view it’s MariaDB 
upgrade that broke their applications. And they cannot always move to PHP 7.3
or wait for Oracle (Java) to fix connectors.
To help them, upstream released an emergency bug fix that partially relaxes
packet validation and allows garbage at the end of the packet that these
connectors send. It does not make the server less secure as long as the server
is not trying to use this garbage.
                

References

SRPMS

7/core