CVE-2020-13249

NameCVE-2020-13249
Descriptionlibmariadb/mariadb_lib.c in MariaDB Connector/C before 3.1.8 does not properly validate the content of an OK packet received from a server. NOTE: although mariadb_lib.c was originally based on code shipped for MySQL, this issue does not affect any MySQL components supported by Oracle.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mariadb-10.1 (PTS)stretch10.1.45-0+deb9u1fixed
stretch (security)10.1.47-0+deb9u1fixed
mariadb-10.3 (PTS)buster1:10.3.23-0+deb10u1fixed
buster (security)1:10.3.25-0+deb10u1fixed
bullseye, sid1:10.3.24-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mariadb-10.1source(unstable)(not affected)
mariadb-10.3sourcebuster1:10.3.23-0+deb10u1
mariadb-10.3source(unstable)1:10.3.23-1

Notes

- mariadb-10.1 <not-affected> (Vulnerable code introduced later)
Fixed by: https://github.com/mariadb-corporation/mariadb-connector-c/commit/2759b87d72926b7c9b5426437a7c8dd15ff57945 (v3.1.8)
Introduced around: https://github.com/mariadb-corporation/mariadb-connector-c/commit/b4efe73c9e725f97b3550371f8a78a10a20bf2fd (v3.0-cc-server-integ-0)

Search for package or bug name: Reporting problems