CVE-2020-13249

Name	CVE-2020-13249
Description	libmariadb/mariadb_lib.c in MariaDB Connector/C before 3.1.8 does not properly validate the content of an OK packet received from a server. NOTE: although mariadb_lib.c was originally based on code shipped for MySQL, this issue does not affect any MySQL components supported by Oracle.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
mariadb-10.3 (PTS)	buster	1:10.3.34-0+deb10u1	fixed
	buster (security)	1:10.3.39-0+deb10u2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
mariadb-10.1	source	(unstable)	(not affected)
mariadb-10.3	source	buster	1:10.3.23-0+deb10u1
mariadb-10.3	source	(unstable)	1:10.3.23-1

Notes

- mariadb-10.1 <not-affected> (Vulnerable code introduced later)
Fixed by: https://github.com/mariadb-corporation/mariadb-connector-c/commit/2759b87d72926b7c9b5426437a7c8dd15ff57945 (v3.1.8)
Introduced around: https://github.com/mariadb-corporation/mariadb-connector-c/commit/b4efe73c9e725f97b3550371f8a78a10a20bf2fd (v3.0-cc-server-integ-0)