Hi,

* Sven Hartge [Mon Jul 13, 2026 at 06:54:43AM +0200]:

> Package: mariadb-server
> Version: 1:10.11.18-0+deb12u1
> Severity: important
> 
> Hello!
> 
> On Debian 12, after the upgrade to 1:10.11.18-0+deb12u1, I find that
> mariadb.socket has been activated without any input or consent from me.
> 
> This results in mariadb-server now suddenly being available to *:3306
> (i.e. the Internet if no firewall is configured) instead of just
> 127.0.0.1:3306.
> 
> This is very unfortunate, as this potentially exposes the server to attacks.
> 
> Here is how the state of the socket looks before and after the upgrade:

[...]

> No manual change has been done my me, just "apt full-upgrade".
> 
> Because mariadbd is running at the moment, this won't have an effect
> until rebooting the system, which is an additional wrinkle, masking the
> new unsafe situation even further, obscuring the reason for the change.

I can confirm this behavior, which I also just noticed on one of my
systems.

regards
-mika-

Attachment: signature.asc
Description: PGP signature

Reply via email to