Re: MariaDB security vulnerabilities
Dear Otto,
thanks for providing this valuable information.
Providing new binaries in LTS release can potentially break some
stuff. But if both
10.1 and 10.3 can co-exist, it could be an option.
Another problem is that 10.3 provides a new ABI (libmariadb19 instead
of libmariadb18), so
basically the rebuilding of all dependent binaries is needed (some
kind of transition). It is unlikely
possible as a security-only-support version.
Anyway, I have added mariadb-10.1 into the dla-needed.txt just to keep
it on track. But I am
not really sure that backporting of 10.3 will be a reality.
Best regards
Anton
Am Di., 22. Feb. 2022 um 09:51 Uhr schrieb Otto Kekäläinen <otto@debian.org>:
>
> Hi!
>
> On Mon, Feb 14, 2022 at 4:04 AM Markus Koschany <apo@debian.org> wrote:
> >
> > Hello,
> >
> > Just a heads-up. New CVE have been reported for MariaDB 10.3. It is likely that
> > 10.1 in Stretch is affected as well. Otto Kekäläinen (maintainer) is currently
> > investigating if it is feasible to backport a newer MariaDB version to Stretch
> > because 10.1 is no longer supported upstream. Do we have any past experiences
> > how to handle MySQL/MariaDB updates if they are no longer supported?
>
> MariaDB 10.6 has so many changes in its build dependencies that making
> it build on Stretch library versions is probably too much work.
> Test build log at
> https://salsa.debian.org/mariadb-team/mariadb-server/-/jobs/2480109
>
> MariaDB 10.3 at least builds:
> https://salsa.debian.org/mariadb-team/mariadb-10.3/-/jobs/2498645
> However the mariadb-plugin-myrocks installation fails due to missing
> run-time dependencies:
> https://salsa.debian.org/mariadb-team/mariadb-10.3/-/jobs/2498653
>
> MariaDB 10.3 is also easier as it can use the existing galera-3
> package already in Stretch. Upstream support is until spring 2023.
>
> I think backporting MariaDB 10.3 might be feasible, but requires work.
> Is there really a lot of demand?
>
> - Otto
>
Reply to: