Ubuntu 22.04 LTS mariadb-server False Positive

Building from Source and Advanced Topics
1

Hi All,

I am receiving positive reports for the below 4 Ubuntu mariadb-server vulnerabilities, however, I believe they are false positives as the installed version exceeds the reported problematic ones.

[Ubuntu: Security Advisory (USN-5739-1) OID: 1.3.6.1.4.1.25623.1.1.12.2022.5739.1]
[Ubuntu: Security Advisory (USN-6600-1) OID: 1.3.6.1.4.1.25623.1.1.12.2024.6600.1]
[Ubuntu: Security Advisory (USN-5739-2) OID: 1.3.6.1.4.1.25623.1.1.12.2023.5739.2]
[Ubuntu: Security Advisory (USN-6839-1) OID: 1.3.6.1.4.1.25623.1.1.12.2024.6839.1]

Detection Result
Vulnerable package: mariadb-server
Installed version: mariadb-server-10.6-1:10.6.18+maria~ubu2204
Fixed version: >=mariadb-server-1:10.6.18-0ubuntu0.22.04.1

mariadb-server-10.6/unknown,now 1:10.6.18+maria~ubu2204 amd64 [installed,automatic]
mariadb-server-core-10.6/unknown,now 1:10.6.18+maria~ubu2204 amd64 [installed,automatic]
mariadb-server/unknown,now 1:10.6.18+maria~ubu2204 all [installed]

It looks to be something wrong with the version detection, we it wants >= 10.6.18 (which is installed), but is still triggering. Could this detection method be updated, please?

Many thanks,
APKG

2

Is it possible that this version detection issue is being caused by the fact we installed mariadb-server from the official MariaDB repo instead of the Ubuntu jammy-updates repo?

From MariaDB repo…

$ sudo apt list --installed | grep mariadb-server
mariadb-server-10.6/unknown,now 1:10.6.18+maria~ubu2204 amd64 [installed,automatic]
mariadb-server-core-10.6/unknown,now 1:10.6.18+maria~ubu2204 amd64 [installed,automatic]
mariadb-server/unknown,now 1:10.6.18+maria~ubu2204 all [installed]

$ sudo dpkg -l | grep mariadb-server
ii  mariadb-server                         1:10.6.18+maria~ubu2204              all          MariaDB database server binaries (metapackage depending on the latest version)
ii  mariadb-server-10.6                    1:10.6.18+maria~ubu2204              amd64        MariaDB database server binaries
ii  mariadb-server-core-10.6               1:10.6.18+maria~ubu2204              amd64        MariaDB database core server files

$ mariadb --version
mariadb  Ver 15.1 Distrib 10.6.18-MariaDB, for debian-linux-gnu (x86_64) using  EditLine wrapper

From Ubuntu repo…

$ sudo apt list --installed | grep mariadb-server
mariadb-server-10.6/jammy-updates,jammy-security,now 1:10.6.18-0ubuntu0.22.04.1 amd64 [installed,automatic]
mariadb-server-core-10.6/jammy-updates,jammy-security,now 1:10.6.18-0ubuntu0.22.04.1 amd64 [installed,automatic]
mariadb-server/jammy-updates,jammy-security,now 1:10.6.18-0ubuntu0.22.04.1 all [installed]

$ sudo dpkg -l | grep mariadb-server
ii  mariadb-server                         1:10.6.18-0ubuntu0.22.04.1              all          MariaDB database server (metapackage depending on the latest version)
ii  mariadb-server-10.6                    1:10.6.18-0ubuntu0.22.04.1              amd64        MariaDB database server binaries
ii  mariadb-server-core-10.6               1:10.6.18-0ubuntu0.22.04.1              amd64        MariaDB database core server files

$ mariadb --version
mariadb  Ver 15.1 Distrib 10.6.18-MariaDB, for debian-linux-gnu (x86_64) using  EditLine wrapper
3

Hey @apkg

The issue is now fixed and a new release was made last week. See Release v23.8.2 · greenbone/openvas-scanner · GitHub

Thanks for your contribution!

2 Likes
4

Hey @Arno

Thank you. Do you know when this update will make it’s way into the Community containers?

Many thanks,
APKG

5

A new stable image of openvas-scanner was pushed 4 days ago. So it should already be in it by now. Please provide feedback if the fix is not working as intended.

1 Like
6

Hi @Arno

We pull images daily but are still getting this vulnerability reported. What has changed is the fixed version has decreased to 10.6.11 from 10.6.18.

Vulnerable package:   mariadb-server
Installed version:    mariadb-server-10.6-1:10.6.18+maria~ubu2204
Fixed version:      >=mariadb-server-1:10.6.11-0ubuntu0.22.04.1

Kind regards,
APKG