[debian-mysql] Bug#971367: mariadb-10.5 should not embed wolfssl

Helmut Grohne helmut at subdivi.de
Tue Sep 29 13:57:48 BST 2020


Source: mariadb-10.5
Version: 1:10.5.5-1
Tags: security
Severity: serious
Justification: unsupportable by the Debian security team

Hi Otto,

I've hinted that the situation about an embedded ssl library might be
suboptimal earlier. Since then, I've checked (using the buildd logs)
that indeed mariadb does build an embedded copy of wolfssl. I've also
checked with the Debian security team (Moritz Muehlenhoff in
particular). Such an embedding is unsupportable by the security team.
For that reason, I'm filing this as a release critical bug. It expresses
a veto of the security team for including the package in a stable
release as is.

On a technical level, this seems easy to solve. You currently pass
-DWITH_SSL=bundled. The build system supports -DWITH_SSL=system in
principle. What I'm less sure about is whether doing so breaks any
functionality and whether the involved licenses are actually compatible.

I do hope that you can sort this out. Thanks for your hard work in
managing this complex package and otherwise integrating it into Debain.

Helmut



More information about the pkg-mysql-maint mailing list