Dear Otto, thanks for providing this valuable information.
Providing new binaries in LTS release can potentially break some stuff. But if both 10.1 and 10.3 can co-exist, it could be an option. Another problem is that 10.3 provides a new ABI (libmariadb19 instead of libmariadb18), so basically the rebuilding of all dependent binaries is needed (some kind of transition). It is unlikely possible as a security-only-support version. Anyway, I have added mariadb-10.1 into the dla-needed.txt just to keep it on track. But I am not really sure that backporting of 10.3 will be a reality. Best regards Anton Am Di., 22. Feb. 2022 um 09:51 Uhr schrieb Otto Kekäläinen <o...@debian.org>: > > Hi! > > On Mon, Feb 14, 2022 at 4:04 AM Markus Koschany <a...@debian.org> wrote: > > > > Hello, > > > > Just a heads-up. New CVE have been reported for MariaDB 10.3. It is likely > > that > > 10.1 in Stretch is affected as well. Otto Kekäläinen (maintainer) is > > currently > > investigating if it is feasible to backport a newer MariaDB version to > > Stretch > > because 10.1 is no longer supported upstream. Do we have any past > > experiences > > how to handle MySQL/MariaDB updates if they are no longer supported? > > MariaDB 10.6 has so many changes in its build dependencies that making > it build on Stretch library versions is probably too much work. > Test build log at > https://salsa.debian.org/mariadb-team/mariadb-server/-/jobs/2480109 > > MariaDB 10.3 at least builds: > https://salsa.debian.org/mariadb-team/mariadb-10.3/-/jobs/2498645 > However the mariadb-plugin-myrocks installation fails due to missing > run-time dependencies: > https://salsa.debian.org/mariadb-team/mariadb-10.3/-/jobs/2498653 > > MariaDB 10.3 is also easier as it can use the existing galera-3 > package already in Stretch. Upstream support is until spring 2023. > > I think backporting MariaDB 10.3 might be feasible, but requires work. > Is there really a lot of demand? > > - Otto >
