On Wed, Sep 30, 2020 at 08:09:10PM +0300, Otto Kekäläinen wrote:
> Control: forwarded -1 https://jira.mariadb.org/browse/MDEV-21835
>
> Note that the upstream MariaDB uses OpenSSL both for building the
> server and the client. In Debian OpenSSL is forbidden in the current
> state (or so has e.g. C
On Wed, 30 Sep 2020 20:09:10 +0300 =?UTF-8?B?T3R0byBLZWvDpGzDpGluZW4=?=
wrote:
> Control: forwarded -1 https://jira.mariadb.org/browse/MDEV-21835
>
> Note that the upstream MariaDB uses OpenSSL both for building the
> server and the client. In Debian OpenSSL is forbidden in the current
> state (o
Correction to the previous email:
The server builds (apparently statically) with WolfSSL while the
client uses GnuTLS (dynamically):
# mariadb -Bse 'SHOW VARIABLES' | grep -e version_ssl_library
version_ssl_library WolfSSL 4.4.0
# ldd $(which mariadbd) | grep -e crypt -e tls -e ssl
libcrypt.so.1
Control: forwarded -1 https://jira.mariadb.org/browse/MDEV-21835
Note that the upstream MariaDB uses OpenSSL both for building the
server and the client. In Debian OpenSSL is forbidden in the current
state (or so has e.g. Clint Byrum stated), so in Debian we build using
alternatives, which for the
Processing control commands:
> forwarded -1 https://jira.mariadb.org/browse/MDEV-21835
Bug #971367 [src:mariadb-10.5] mariadb-10.5 should not embed wolfssl
Set Bug forwarded-to-address to 'https://jira.mariadb.org/browse/MDEV-21835'.
--
971367: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=9
On Tue, Sep 29, 2020 at 02:57:48PM +0200, Helmut Grohne wrote:
> Source: mariadb-10.5
> Version: 1:10.5.5-1
> Tags: security
> Severity: serious
> Justification: unsupportable by the Debian security team
>
> Hi Otto,
>
> I've hinted that the situation about an embedded ssl library might be
> subo
Hello!
> Thank you for the background. Let me detail on the security side. The
> issue is not with using wolfssl. The issue is with using a bundled ssl
> library. Doing so means that a single bug in wolfssl must be uploaded
> several times in order to fix it. I think it would be ok to use the
> sy
On Tue, Sep 29, 2020 at 03:24:52PM +0100, Robie Basak wrote:
> The relevant previous bug is
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921488 where the
> packaging switched from "system" to "bundled". Switching back to
> "system" would regress that licensing problem.
>
> Also relevant is
Switching to OpenSSL 3.0 would remove the license issue (as 3.0 is Apache
licensed), but it is still alpha and in experimental only.
https://packages.debian.org/source/experimental/openssl
I've suggested upstream they would support system WolfSSL but it hasn't
been a priority so far and I am not
Hi,
The relevant previous bug is
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921488 where the
packaging switched from "system" to "bundled". Switching back to
"system" would regress that licensing problem.
Also relevant is
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924937 which is th
Source: mariadb-10.5
Version: 1:10.5.5-1
Tags: security
Severity: serious
Justification: unsupportable by the Debian security team
Hi Otto,
I've hinted that the situation about an embedded ssl library might be
suboptimal earlier. Since then, I've checked (using the buildd logs)
that indeed mariad
11 matches
Mail list logo
