Error with downgrade "update" from mariadb 10.5.6

k1l0b1t

k1l0b1t

Verified User
Joined
May 10, 2020
Messages
526
Location
Belgium
I got an "update" notice in CB about mariaDB, from 10.5.6 -> 10.5.5. It apprears that the error is caued by an empty file at https://files.directadmin.com/services/custombuild/all/mariadb/10.5/10.5.5/centos7-64.txt (allso empty on the fastest mirror, files-fr in my case)

Also, why is there this weird downgrade?

Full error below.

Code: 
 Downloading mysql/centos7-64.txt...
--2020-11-07 10:10:43-- https://files-fr.directadmin.com/services/custombuild/all/mariadb/10.5/10.5.5/centos7-64.txt
Resolving files-fr.directadmin.com (files-fr.directadmin.com)... 2001:41d0:8:4a71::5, 92.222.207.19
Connecting to files-fr.directadmin.com (files-fr.directadmin.com)|2001:41d0:8:4a71::5|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/plain]
Saving to: '/usr/local/directadmin/custombuild/mysql/centos7-64.txt'
0K 0.00 =0s
2020-11-07 10:10:43 (0.00 B/s) - '/usr/local/directadmin/custombuild/mysql/centos7-64.txt' saved [0/0]
Downloaded file /usr/local/directadmin/custombuild/mysql/centos7-64.txt does not exist or is empty after download
cwd is: /usr/local/directadmin/custombuild
[1mFileserver might be down, using the backup file server..(B[m
--2020-11-07 10:10:43-- http://69.162.69.58/services/custombuild/all/mariadb/10.5/10.5.5/centos7-64.txt
Connecting to 69.162.69.58:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/plain]
Saving to: '/usr/local/directadmin/custombuild/mysql/centos7-64.txt'
0K 0.00 =0s
2020-11-07 10:10:43 (0.00 B/s) - '/usr/local/directadmin/custombuild/mysql/centos7-64.txt' saved [0/0]
/usr/local/directadmin/custombuild/build: line 10993: [: too many arguments
/usr/local/directadmin/custombuild/build: line 10998: [: too many arguments
/usr/local/directadmin/custombuild/build: line 11001: [: too many arguments
/usr/local/directadmin/custombuild/build: line 11004: [: too many arguments
/usr/local/directadmin/custombuild/build: line 11007: [: too many arguments
/usr/local/directadmin/custombuild/build: line 11032: [: too many arguments
/usr/local/directadmin/custombuild/build: line 11036: [: too many arguments
*** Cannot find /usr/local/directadmin/custombuild/mysql/mysql/centos7-64.txt. Aborting ***

(CC: @smtalk)
 
k1l0b1t said:
I got an "update" notice in CB about mariaDB, from 10.5.6 -> 10.5.5.
Click to expand...
As you can see, this is not an update but a downgrade, you should not run this. It's probably a bug.

Same is happening with the 10.4.15 notice. So wait until it's fixed and the version is indeed pointing to an upgrade, not a downgrade.
 
Do not downgrade! It may brick your server as system tables may be incompatible and the mysql_upgrade utility is not designed to revert changes.
 
wattie said:
Do not downgrade! It may brick your server as system tables may be incompatible and the mysql_upgrade utility is not designed to revert changes.
Click to expand...
Lucky I decided to check the forum first. I also have this option for a 'downgrade update' on CentOS 8. I did not install it.

Just to be sure, does this look like the correct information? (As reported by DA / CustomBuild):
Current version: 10.4.15 - 'New version': 10.4.14
 
It is definitely some issue with the admins of the DA servers. They probably reverted some backup. I don't know.
 
Arieh said:
what should people do or look out for who had already upgraded.
Click to expand...
There was no upgrade, it's a downgrade. People should look at the notice they get. And if it's a lower number, do NOT run the "upgrade".
If I'm correct nobody downgraded yet. But some addition notice would indeed be nice anyway.
 
Richard G said:
There was no upgrade, it's a downgrade. People should look at the notice they get. And if it's a lower number, do NOT run the "upgrade".
If I'm correct nobody downgraded yet. But some addition notice would indeed be nice anyway.
Click to expand...
It seems they pulled back the .6 upgrade because it can cause issues. So then there are 2 groups of people:
A) People who had already upgraded to .6 (what I meant)
B) People who had not upgraded yet, and are still at .5.

If they pulled back the upgrade for the B group, to prevent them getting issues, that's understandable. But since there's a lot of people who already had upgraded (A group), it creates confusion. So what I meant was, for this group at .6 they should have made an announcement with indeed the advice not to downgrade, if that's the best thing to do.
 
There is an active vulnerability for most recent branches of MariaDB:

Vulnerable Version: All versions prior to fixed versions.
Fixed Version: 10.5.7, 10.4.16, 10.3.26, 10.2.35, 10.1.48
CVE Number: *PENDING*
Click to expand...

Vulnerability Description:
--------------------------

MariaDB is vulnerable to an arbitrary file delete vulnerability that allows unprivileged users the ability to corrupt and/or delete files owned by the 'mysql' user including other user databases.

This vulnerability is allowed to happen due to the use of insecure temporary files related to the MyISAM/Aria operations.

In our testing, most hosting control panels that use MariaDB are vulnerable to this exploit. It is incredibly easy to exploit and users are highly recommended to update as soon as possible.
Click to expand...
 
OK, that's bad and huge.

But it says "ALL versions prior to the fixed...". Therefore the downgrade is still making no sense.

By the way MariaDB 10.4.17 and 10.5.8 are already available.
 
Correct. Downgrading (which I don't recommend for all the reasons mentioned above) would only resolve the aforementioned bug. However, you'd still be vulnerable. To resolve that we'd need to upgrade to 10.4.16+ or 10.5.7+.
 
You must log in or register to reply here.
Back
Top