Bug#1104874: bookworm-pu: package mariadb 1:10.11.12-0+deb12u1

To: Otto Kekäläinen <otto@debian.org>, 1104874@bugs.debian.org
Subject: Bug#1104874: bookworm-pu: package mariadb 1:10.11.12-0+deb12u1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Fri, 13 Jun 2025 18:22:31 +0100
Message-id: <[🔎] cbeb825ca82b6db043985edc36309e52e90aef3b.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 1104874@bugs.debian.org
In-reply-to: <[🔎] CAOU6tAAJves6JAT6FoeKvYMAz1r5gx7hYDQ+Oo0nPA7wsu2B0A@mail.gmail.com>
References: <56405c895fd7a8874a98ad92a7f248b6b1319831.camel@adam-barratt.org.uk> <CAOU6tACDrtbvtEcue7TJ4XkeNyz5RPsd2s9KHct+f6AqEwEmcA@mail.gmail.com> <CAOU6tADrjCHa96PivqJVagks0ncp2vrPRBORiUOY-dTH=JsX8w@mail.gmail.com> <b413cadcae1c72483f493c70575fc672e15d75e9.camel@adam-barratt.org.uk> <CAOU6tABqACnf1vC7m9b7Z=UP2=roxzLBHQue8hKJUftSfRh4qg@mail.gmail.com> <CAOU6tAD8ZUWxTPe8bBKkwXeuZnxOhjyp3wUgVuEancXoKznieA@mail.gmail.com> <7e1387c8b49967ed452a7ac0be8c8624b284dcb9.camel@adam-barratt.org.uk> <[🔎] CAOU6tACfnnvZk6cYvD5-yKykhS5FVspwDD_wjevMyXJVsmmAhw@mail.gmail.com> <1746637044.322072.902923.nullmailer@XPS-13-9370> <[🔎] CAOU6tABL6eeyJ5Z9rdV_89RAg8_+R74RP3=cTY6QJ56ygc-2=g@mail.gmail.com> <[🔎] 4c46b82cc3bb8bf1928f4f4d9d684b09c8909269.camel@adam-barratt.org.uk> <1746637044.322072.902923.nullmailer@XPS-13-9370> <[🔎] CAOU6tAAJves6JAT6FoeKvYMAz1r5gx7hYDQ+Oo0nPA7wsu2B0A@mail.gmail.com> <1746637044.322072.902923.nullmailer@XPS-13-9370>

On Wed, 2025-06-11 at 19:39 +0300, Otto Kekäläinen wrote:
> > > Bookworm has a different major version than Trixie, so there is
> > > no
> > > gain in waiting for Trixie version (MariaDB 11.10 vs 11.8).
> > 
> > That's not entirely correct.
> > 
> > One of the reasons for wanting fixes to land in higher suites
> > before stable is to avoid the risk of upgrade regressions. If
> > stable receives a fix first, then users upgrading to testing
> > afterwards would become vulnerable to the fixed issues again.
> 
> Normally yes, but considering that the unstable version is a whole
> new major version this line of thinking is not relevant for this
> scenario at all.

You're conflating two things here. Both form part of the reasoning, but
they are different, and one is certainly still relevant here.

The difference in the codebases may make it less likely that the
specifc fix for the CVE in unstable will be directly applicable to the
version in stable, but it does not change the fact that if both are
affected and stable is fixed first then users upgrading will be re-
affected by the CVE in the process.

Regards,

Adam

Reply to:

References:
- Bug#1104874: bookworm-pu: package mariadb 1:10.11.12-0+deb12u1
  - From: Otto Kekäläinen <otto@debian.org>
- Bug#1104874: bookworm-pu: package mariadb 1:10.11.12-0+deb12u1
  - From: Otto Kekäläinen <otto@debian.org>
- Bug#1104874: bookworm-pu: package mariadb 1:10.11.12-0+deb12u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#1104874: bookworm-pu: package mariadb 1:10.11.12-0+deb12u1
  - From: Otto Kekäläinen <otto@debian.org>

Prev by Date: Bug#1107726: unblock: pytorch{,-cuda}/2.6.0+dfsg-8 (pre-approval)
Next by Date: Bug#1106777: gnupg2 not binNMu safe in bookworm (was: Re: Bug#1106777: gnupg2 2.2.40-1.1+b4 flagged for acceptance)
Previous by thread: Bug#1104874: bookworm-pu: package mariadb 1:10.11.12-0+deb12u1
Next by thread: Bug#1107072: unblock: meta-phosh/46.1
Index(es):
- Date
- Thread