[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: MariaDB security vulnerabilities

Dear Otto,

thanks for providing this valuable information.

Providing new binaries in LTS release can potentially break some
stuff. But if both
10.1 and 10.3 can co-exist, it could be an option.

Another problem is that 10.3 provides a new ABI (libmariadb19 instead
of libmariadb18), so
basically the rebuilding of all dependent binaries is needed (some
kind of transition). It is unlikely
possible as a security-only-support version.

Anyway, I have added mariadb-10.1 into the dla-needed.txt just to keep
it on track. But I am
not really sure that backporting of 10.3 will be a reality.

Best regards


Am Di., 22. Feb. 2022 um 09:51 Uhr schrieb Otto Kekäläinen <otto@debian.org>:
> Hi!
> On Mon, Feb 14, 2022 at 4:04 AM Markus Koschany <apo@debian.org> wrote:
> >
> > Hello,
> >
> > Just a heads-up. New CVE have been reported for MariaDB 10.3. It is likely that
> > 10.1 in Stretch is affected as well. Otto Kekäläinen (maintainer) is currently
> > investigating if it is feasible to backport a newer MariaDB version to Stretch
> > because 10.1 is no longer supported upstream. Do we have any past experiences
> > how to handle MySQL/MariaDB updates if they are no longer supported?
> MariaDB 10.6 has so many changes in its build dependencies that making
> it build on Stretch library versions is probably too much work.
> Test build log at
> https://salsa.debian.org/mariadb-team/mariadb-server/-/jobs/2480109
> MariaDB 10.3 at least builds:
> https://salsa.debian.org/mariadb-team/mariadb-10.3/-/jobs/2498645
> However the mariadb-plugin-myrocks installation fails due to missing
> run-time dependencies:
> https://salsa.debian.org/mariadb-team/mariadb-10.3/-/jobs/2498653
> MariaDB 10.3 is also easier as it can use the existing galera-3
> package already in Stretch. Upstream support is until spring 2023.
> I think backporting MariaDB 10.3 might be feasible, but requires work.
> Is there really a lot of demand?
> - Otto

Reply to: