Bug#1032074: libdbd-mysql-perl: Also a problem with /usr/bin/mysql

Russell King rmk+debian at armlinux.org.uk
Wed Jun 21 14:27:27 BST 2023 

Package: libdbd-mysql-perl
Version: 4.050-5+b1
Followup-For: Bug #1032074

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?

Upgrading from Debian Buster to Debian Bookworm.

I have custom perl scripts that run my Linux Kernel patch management
system which make use of DBD::mysql to contact a MariaDB server in
another VM. The MariaDB server is running Debian Buster.

Capturing traffic on port 3306 and examining with wireshark reveals
that when a Debian Buster system is used to connect to the Debian
Buster MariaDB server, it uses TLS v1.3.

However, Debian Bookworm's DBD::mysql uses TLS v1.1, as does
/usr/bin/mysql. This means that if a recent non-buggy TLS version is
required to connect to a Debian Buster mariadb, Debian Bookworm
systems are incompatible due to the lower TLS version that they
support.

I have tried configuring a minimum TLS version in /etc/ssl/openssl.cnf
to increase the security level via:

[openssl_init]
+ssl_conf = ssl_sect

+[ssl_sect]
+system_default = system_default_sect

+[system_default_sect]
+MinProtocol = TLSv1.2
+CipherString = DEFAULT at SECLEVEL=2

but this still results in DBD::mysql using TLS v1.1.

This obviously causes a regression where the mariadb server is set to
a modern minimum non-buggy security level, and thus has *security*
implications given that TLS v1.1 is no longer regarded as secure.

I suspect this is a problem with mariadb shipped with Debian Bookworm
rather than being specific to the perl DBD driver.

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 12.0
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: armhf (armv7l)

Kernel: Linux 6.1.0+ (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libdbd-mysql-perl depends on:
ii  libc6                         2.36-9
ii  libdbi-perl [perl-dbdabi-94]  1.643-4
ii  libmariadb3                   1:10.11.3-1
ii  perl                          5.36.0-7
ii  perl-base [perlapi-5.36.0]    5.36.0-7

libdbd-mysql-perl recommends no packages.

libdbd-mysql-perl suggests no packages.

-- no debconf information

More information about the pkg-perl-maintainers mailing list