On Tue, Sep 29, 2020 at 02:57:48PM +0200, Helmut Grohne wrote: > Source: mariadb-10.5 > Version: 1:10.5.5-1 > Tags: security > Severity: serious > Justification: unsupportable by the Debian security team > > Hi Otto, > > I've hinted that the situation about an embedded ssl library might be > suboptimal earlier. Since then, I've checked (using the buildd logs) > that indeed mariadb does build an embedded copy of wolfssl. I've also > checked with the Debian security team (Moritz Muehlenhoff in > particular). Such an embedding is unsupportable by the security team.
Actually when I saw this in IRC, I thought the "-DWITH_SSL=bundled" referred to MariaDB 10.5 having switched to a bundled version of OpenSSL. Historically mariadb/mysql has always used a bundled copy of yassl (now named wolfssl), so not switching to the shared src:wolfssl is not a regression over the status quo in buster. But by all means if we can find a way to fix the build to use the system-wide WolfSSL, let's do it. Cheers, Moritz