[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#971367: mariadb-10.5 should not embed wolfssl



Source: mariadb-10.5
Version: 1:10.5.5-1
Tags: security
Severity: serious
Justification: unsupportable by the Debian security team

Hi Otto,

I've hinted that the situation about an embedded ssl library might be
suboptimal earlier. Since then, I've checked (using the buildd logs)
that indeed mariadb does build an embedded copy of wolfssl. I've also
checked with the Debian security team (Moritz Muehlenhoff in
particular). Such an embedding is unsupportable by the security team.
For that reason, I'm filing this as a release critical bug. It expresses
a veto of the security team for including the package in a stable
release as is.

On a technical level, this seems easy to solve. You currently pass
-DWITH_SSL=bundled. The build system supports -DWITH_SSL=system in
principle. What I'm less sure about is whether doing so breaks any
functionality and whether the involved licenses are actually compatible.

I do hope that you can sort this out. Thanks for your hard work in
managing this complex package and otherwise integrating it into Debain.

Helmut


Reply to: