[debian-mysql] Bug#971367: mariadb-10.5 should not embed wolfssl
Moritz Mühlenhoff
jmm at inutil.org
Tue Sep 29 22:42:29 BST 2020
On Tue, Sep 29, 2020 at 02:57:48PM +0200, Helmut Grohne wrote:
> Source: mariadb-10.5
> Version: 1:10.5.5-1
> Tags: security
> Severity: serious
> Justification: unsupportable by the Debian security team
>
> Hi Otto,
>
> I've hinted that the situation about an embedded ssl library might be
> suboptimal earlier. Since then, I've checked (using the buildd logs)
> that indeed mariadb does build an embedded copy of wolfssl. I've also
> checked with the Debian security team (Moritz Muehlenhoff in
> particular). Such an embedding is unsupportable by the security team.
Actually when I saw this in IRC, I thought the "-DWITH_SSL=bundled" referred
to MariaDB 10.5 having switched to a bundled version of OpenSSL.
Historically mariadb/mysql has always used a bundled copy of yassl
(now named wolfssl), so not switching to the shared src:wolfssl is
not a regression over the status quo in buster.
But by all means if we can find a way to fix the build to use the system-wide
WolfSSL, let's do it.
Cheers,
Moritz
More information about the pkg-mysql-maint
mailing list