Re: MariaDB security vulnerabilities

[Otto Kekäläinen <otto@debian.org>]

Hi!

On Mon, Feb 14, 2022 at 4:04 AM Markus Koschany <apo@debian.org> wrote:
>
> Hello,
>
> Just a heads-up. New CVE have been reported for MariaDB 10.3. It is likely that
> 10.1 in Stretch is affected as well. Otto Kekäläinen (maintainer) is currently
> investigating if it is feasible to backport a newer MariaDB version to Stretch
> because 10.1 is no longer supported upstream. Do we have any past experiences
> how to handle MySQL/MariaDB updates if they are no longer supported?

MariaDB 10.6 has so many changes in its build dependencies that making
it build on Stretch library versions is probably too much work.
Test build log at
https://salsa.debian.org/mariadb-team/mariadb-server/-/jobs/2480109

MariaDB 10.3 at least builds:
https://salsa.debian.org/mariadb-team/mariadb-10.3/-/jobs/2498645
However the mariadb-plugin-myrocks installation fails due to missing
run-time dependencies:
https://salsa.debian.org/mariadb-team/mariadb-10.3/-/jobs/2498653

MariaDB 10.3 is also easier as it can use the existing galera-3
package already in Stretch. Upstream support is until spring 2023.

I think backporting MariaDB 10.3 might be feasible, but requires work.
Is there really a lot of demand?

- Otto