Hi, * Sven Hartge [Mon Jul 13, 2026 at 06:54:43AM +0200]:
> Package: mariadb-server > Version: 1:10.11.18-0+deb12u1 > Severity: important > > Hello! > > On Debian 12, after the upgrade to 1:10.11.18-0+deb12u1, I find that > mariadb.socket has been activated without any input or consent from me. > > This results in mariadb-server now suddenly being available to *:3306 > (i.e. the Internet if no firewall is configured) instead of just > 127.0.0.1:3306. > > This is very unfortunate, as this potentially exposes the server to attacks. > > Here is how the state of the socket looks before and after the upgrade: [...] > No manual change has been done my me, just "apt full-upgrade". > > Because mariadbd is running at the moment, this won't have an effect > until rebooting the system, which is an additional wrinkle, masking the > new unsafe situation even further, obscuring the reason for the change. I can confirm this behavior, which I also just noticed on one of my systems. regards -mika-
signature.asc
Description: PGP signature

