commit mariadb for openSUSE:Factory

[root]

Hello community,

here is the log from the commit of package mariadb for openSUSE:Factory checked 
in at 2020-02-25 16:00:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/mariadb (Old)
 and      /work/SRC/openSUSE:Factory/.mariadb.new.26092 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "mariadb"

Tue Feb 25 16:00:36 2020 rev:91 rq:777998 version:10.4.12

Changes:
--------
--- /work/SRC/openSUSE:Factory/mariadb/mariadb.changes  2019-12-23 
22:36:32.681796906 +0100
+++ /work/SRC/openSUSE:Factory/.mariadb.new.26092/mariadb.changes       
2020-02-25 16:00:51.299987931 +0100
@@ -1,0 +2,89 @@
+Fri Feb 21 14:44:16 UTC 2020 - Kristyna Streitova <kstreit...@suse.com>
+
+ - remove @VERSION@ from mariadb.service and mariadb@.service
+
+-------------------------------------------------------------------
+Fri Feb  7 12:47:56 UTC 2020 - pgaj...@suse.com
+
+- disable testing with rpm macros as it does not work as for 10.4,
+  needs to be investigated
+
+-------------------------------------------------------------------
+Wed Feb  5 14:08:30 UTC 2020 - Kristyna Streitova <kstreit...@suse.com>
+
+- update suse_skipped_tests.list for ppc
+
+-------------------------------------------------------------------
+Tue Feb  4 15:30:16 UTC 2020 - Kristyna Streitova <kstreit...@suse.com>
+
+- rename mariadb.rpmlintrc to mariadb-rpmlintrc
+- for ppc install pam_user_map.so in /lib/security
+
+-------------------------------------------------------------------
+Tue Feb  4 10:53:34 UTC 2020 - matthias.gerst...@suse.com
+
+- rename mariadb-10.2.12-harden_setuid.patch to
+  mariadb-10.4.12-harden_setuid.patch to match the correct version number.
+- add mariadb-10.4.12-fix-install-db.patch to improve default behaviour of
+  mysql_install_db. This prevents performing security sensitive actions to
+  be performed but instead only warns the caller (bsc#1160868).
+
+-------------------------------------------------------------------
+Sun Feb  2 21:53:07 UTC 2020 - Kristyna Streitova <kstreit...@suse.com>
+
+- update to 10.4.12
+  * release notes and changelog:
+    https://mariadb.com/kb/en/library/mariadb-10412-release-notes
+    https://mariadb.com/kb/en/library/mariadb-10412-changelog
+    https://mariadb.com/kb/en/library/mariadb-10411-release-notes
+    https://mariadb.com/kb/en/library/mariadb-10411-changelog
+  * fixes for the following security vulnerabilities:
+    CVE-2020-2574
+  * don't let mysql_install_db set SUID bit for auth_pam_tool
+    in rpm/deb packages CVE-2020-7221 [bsc#1160868]
+- add mariadb-10.2.12-harden_setuid.patch to harden auth_pam_tool
+  setuid-root binary [bsc#1160285]
+- pack pam_user_map.so module in the /%{_lib}/security directory
+  and user_map.conf configuration file in the /etc/security directory
+- fix race condition with mysql_upgrade_info status file by moving
+  it to the location owned by root (/var/lib/misc) CVE-2019-18901
+  [bsc#1160895]
+- move .run-mysql_upgrade file from $datadir/.run-mysql_upgrade
+  to /var/lib/misc/.mariadb_run_upgrade so the mysql user can't
+  use it for a symlink attack [bsc#1160912]
+- change -DWITH_COMMENT and -DCOMPILATION_COMMENT to be
+  SUSE/openSUSE independent
+
+-------------------------------------------------------------------
+Fri Jan 24 17:02:52 UTC 2020 - Kristyna Streitova <kstreit...@suse.com>
+
+- enhance mariadb.service and mariadb@.service with various options
+  (Documentation=, User=, Group=, KillSignal=, SendSIGKILL=,
+  Restart=, RestartSec=, CapabilityBoundingSet=, ProtectSystem=,
+  ProtectHome=, PermissionsStartOnly= and UMask=) [bsc#1160878] 
+- mysql-systemd-helper: use systemd-tmpfiles instead of shell
+  script operations for a cleaner and safer creating of /run/mysql
+  [bsc#1160883]
+
+-------------------------------------------------------------------
+Fri Jan  3 13:31:34 UTC 2020 - Kristyna Streitova <kstreit...@suse.com>
+
+- update to 10.4.10
+  * changes and improvements for 10.4
+    https://mariadb.com/kb/en/changes-improvements-in-mariadb-104/
+  * fixes for the following security vulnerabilities: none
+- pack mariadb variants of the mysql binaries (e.g. mariadb-dumpslow
+  is a symlink to mysqldumpslow and the like)
+- refresh mariadb-10.2.4-fortify-and-O.patch
+- update suse_skipped_tests.list
+- _constraints: increase physicalmemory value
+- package auth_pam_tool setuid binary properly
+- add cracklib-password-check subpackage but do not build it right
+  now (cracklib-dict-full >= 2.9.0 is not available yet)
+- add rcmariadb compat link
+- add mariadb.rpmlintrc file
+- do not move my_safe_process to bindir but use rpmlint
+  arch-dependent-file-in-usr-share exception for it (this file
+  is used just for the testing and it doesn't have to be in bindir
+ 
+-------------------------------------------------------------------

Old:
----
  mariadb-10.3.20.tar.gz
  mariadb-10.3.20.tar.gz.sig

New:
----
  mariadb-10.4.12-fix-install-db.patch
  mariadb-10.4.12-harden_setuid.patch
  mariadb-10.4.12.tar.gz
  mariadb-10.4.12.tar.gz.sig
  mariadb-rpmlintrc

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ mariadb.spec ++++++
--- /var/tmp/diff_new_pack.NVrrpy/_old  2020-02-25 16:00:53.607978577 +0100
+++ /var/tmp/diff_new_pack.NVrrpy/_new  2020-02-25 16:00:53.607978577 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package mariadb
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -49,12 +49,14 @@
 %endif
 # Define python interpreter version
 %if 0%{?suse_version} >= 1500
-%define python_path /usr/bin/python3            
+%define python_path %{_bindir}/python3
 %else            
-%define python_path /usr/bin/python2            
+%define python_path %{_bindir}/python2
 %endif
+# Build with cracklib plugin when cracklib-dict-full >= 2.9.0 is available
+%define with_cracklib_plugin 0
 Name:           mariadb
-Version:        10.3.20
+Version:        10.4.12
 Release:        0
 Summary:        Server part of MariaDB
 License:        SUSE-GPL-2.0-with-FLOSS-exception
@@ -73,11 +75,14 @@
 Source18:       mariadb@.service
 Source19:       macros.mariadb-test
 Source50:       suse_skipped_tests.list
+Source51:       mariadb-rpmlintrc
 Patch1:         mariadb-10.2.4-logrotate.patch
 Patch3:         mariadb-10.1.1-mysqld_multi-features.patch
 Patch7:         mariadb-10.0.15-logrotate-su.patch
 Patch8:         mariadb-10.2.4-fortify-and-O.patch
 Patch9:         mariadb-10.2.19-link-and-enable-c++11-atomics.patch
+Patch10:        mariadb-10.4.12-harden_setuid.patch
+Patch11:        mariadb-10.4.12-fix-install-db.patch
 # needed for bison SQL parser and wsrep API
 BuildRequires:  bison
 BuildRequires:  cmake
@@ -141,6 +146,7 @@
 Requires:       perl-base
 # myrocks_hotbackup needs MySQLdb - if we want to use it under python3, we 
need python3-mysqlclient
 Requires:       python3-mysqlclient
+Requires(post): permissions
 Requires(pre):  shadow
 Recommends:     logrotate
 Conflicts:      mariadb-server
@@ -332,6 +338,22 @@
 A set of scripts for administering a MariaDB or developing
 applications with MariaDB.
 
+%if 0%{with_cracklib_plugin} > 0
+%package cracklib-password-check
+Summary:        The password strength checking plugin
+BuildRequires:  cracklib-devel >= 2.9.0
+BuildRequires:  cracklib-dict-small >= 2.9.0
+Requires:       %{name} = %{version}
+Requires:       cracklib-dict-small >= 2.9.0
+
+%description      cracklib-password-check
+cracklib_password_check is a password validation plugin. It uses the CrackLib
+library to check the strength of new passwords. CrackLib is installed by 
default
+in many Linux distributions, since the system's PAM authentication framework is
+usually configured to check the strength of new passwords with the pam_cracklib
+PAM module.
+%endif
+
 %prep
 %setup -q
 # Remove JAR files from the tarball (used for testing from the source)
@@ -341,6 +363,8 @@
 %patch7
 %patch8
 %patch9 -p1
+%patch10 -p1
+%patch11 -p1
 
 cp %{_sourcedir}/suse-test-run .
 
@@ -399,7 +423,7 @@
        -DMYSQL_UNIX_ADDR="%{_rundir}/mysql/mysql.sock"              \
        -DINSTALL_UNIX_ADDRDIR="%{_rundir}/mysql/mysql.sock"         \
        -DINSTALL_MYSQLSHAREDIR=share/%{name}                        \
-       -DWITH_COMMENT="openSUSE mariadb rpm"                        \
+       -DWITH_COMMENT="MariaDB rpm"                                 \
        -DWITH_EXTRA_CHARSET=all                                     \
        -DDEFAULT_CHARSET=utf8mb4                                    \
        -DDEFAULT_COLLATION=utf8mb4_general_ci                       \
@@ -427,7 +451,7 @@
        -DWITH_INNODB_DISALLOW_WRITES=1                              \
        -DWITH_LIBARCHIVE=ON                                         \
        -DWITH_MARIABACKUP=ON                                        \
-       -DCOMPILATION_COMMENT="openSUSE package"                     \
+       -DCOMPILATION_COMMENT="MariaDB package"                      \
        -DDENABLE_DOWNLOADS=false                                    \
        -DINSTALL_PLUGINDIR_RPM="%{_lib}/mysql/plugin"               \
        -DINSTALL_LIBDIR_RPM="%{_lib}"                               \
@@ -507,7 +531,7 @@
 rm -f %{buildroot}%{_datadir}/mysql/mysqld_multi.server
 # The old fork of mytop utility (we ship it as a separate package)
 rm -f %{buildroot}%{_bindir}/mytop
-# xtrabackup is not supported for MariaDB 10.3
+# xtrabackup is not supported for MariaDB >= 10.3
 rm -f %{buildroot}%{_bindir}/wsrep_sst_xtrabackup-v2
 rm -f %{buildroot}%{_bindir}/wsrep_sst_xtrabackup
 
@@ -537,19 +561,15 @@
 rm %{buildroot}%{_mandir}/man1/mysql_config*.1*
 rm -r %{buildroot}%{_includedir}/mysql
 
-# mysql-test includes my_safe_process executable that should be moved to 
/usr/bin
-mv %{buildroot}%{_datadir}/mysql-test/lib/My/SafeProcess/my_safe_process 
%{buildroot}%{_bindir}
-ln -s ../../../../../bin/my_safe_process 
%{buildroot}%{_datadir}/mysql-test/lib/My/SafeProcess/my_safe_process
-
 # Rename the wsrep README so it corresponds with the other README names
 cp Docs/README-wsrep Docs/README.wsrep
 
 # Generate various filelists (binaries and manpages)
 # mariadb.files
-filelist mariabackup mbstream innochecksum mariadb-service-convert 
my_print_defaults myisam_ftdump myisamchk myisamlog myisampack 
mysql_fix_extensions  mysql_install_db mysql_secure_installation mysql_upgrade 
mysqld mysqld_multi mysqld_safe mysqlbinlog mysqldumpslow resolve_stack_dump 
resolveip {m,}aria_chk {m,}aria_dump_log {m,}aria_ftdump {m,}aria_pack 
{m,}aria_read_log tokuft_logprint tokuft_logdump tokuftdump mysql_ldb sst_dump 
myrocks_hotbackup >mariadb.files
+filelist mariabackup mariadb-backup mbstream innochecksum 
mariadb-service-convert my_print_defaults myisam_ftdump myisamchk myisamlog 
myisampack mysql_fix_extensions mariadb-fix-extensions mysql_install_db 
mariadb-install-db mysql_secure_installation mariadb-secure-installation 
mysql_upgrade mariadb-upgrade mysqld mariadbd mysqld_multi mariadbd-multi 
mysqld_safe mariadbd-safe mysqlbinlog mariadb-binlog mysqldumpslow 
mariadb-dumpslow resolve_stack_dump resolveip {m,}aria_chk {m,}aria_dump_log 
{m,}aria_ftdump {m,}aria_pack {m,}aria_read_log tokuft_logprint tokuft_logdump 
tokuftdump mysql_ldb mariadb-ldb sst_dump myrocks_hotbackup >mariadb.files
 
 # mariadb-client.files
-filelist mysql mysqladmin mysqlcheck mysqldump mysqlimport mysqlshow 
mysql_config_editor mysqld_safe_helper >mariadb-client.files
+filelist mysql mariadb mysqladmin mariadb-admin mysqlcheck mariadb-check 
mysqldump mariadb-dump mysqlimport mariadb-import mysqlshow mariadb-show 
mysql_config_editor mysqld_safe_helper mariadbd-safe-helper mariadb-client-test 
 >mariadb-client.files
 
 # Mysql has configuration file in _bindir
 if [ -f scripts/mysqlaccess.conf ] ; then
@@ -562,13 +582,13 @@
 filelist galera_new_cluster galera_recovery wsrep_sst_common 
wsrep_sst_mariabackup wsrep_sst_mysqldump wsrep_sst_rsync wsrep_sst_rsync_wan 
>mariadb-galera.files
 
 # mariadb-bench.files
-filelist mysqlslap >mariadb-bench.files
+filelist mysqlslap mariadb-slap >mariadb-bench.files
 
 # mariadb-test.files
-filelist mysql_client_test mysql_client_test_embedded mysql_waitpid mysqltest 
mysqltest_embedded >mariadb-test.files
+filelist mysql_client_test mysql_client_test_embedded 
mariadb-client-test-embedded mysql_waitpid mariadb-waitpid mysqltest 
mariadb-test mysqltest_embedded mariadb-test-embedded >mariadb-test.files
 
 # mariadb-tools.files
-filelist msql2mysql mysql_plugin mysql_convert_table_format mysql_find_rows 
mysql_setpermission mysql_tzinfo_to_sql mysqlaccess mysqlhotcopy perror replace 
mysql_embedded >mariadb-tools.files
+filelist msql2mysql mysql_plugin mariadb-plugin mysql_convert_table_format 
mariadb-convert-table-format mysql_find_rows mariadb-find-rows 
mysql_setpermission mariadb-setpermission mysql_tzinfo_to_sql 
mariadb-tzinfo-to-sql mysqlaccess mariadb-access mysqlhotcopy mariadb-hotcopy 
perror replace mysql_embedded mariadb-embedded >mariadb-tools.files
 
 # All configuration files
 echo '%{_datadir}/mysql/*.cnf' >> mariadb.files
@@ -601,6 +621,7 @@
 install -D -m 755 %{_sourcedir}/mysql-systemd-helper 
'%{buildroot}'%{_libexecdir}/mysql/mysql-systemd-helper
 sed -i 's|@MYSQLVER@|%{version}|' 
'%{buildroot}'%{_libexecdir}/mysql/mysql-systemd-helper
 ln -sf service '%{buildroot}'%{_sbindir}/rcmysql
+ln -sf service '%{buildroot}'%{_sbindir}/rcmariadb
 rm -rf '%{buildroot}'%{_sysconfdir}/init.d
 install -D -m 644 %{_sourcedir}/mariadb.service 
'%{buildroot}'%{_unitdir}/mariadb.service
 install -D -m 644 %{_sourcedir}/mariadb@.service 
'%{buildroot}'%{_unitdir}/mariadb@.service
@@ -663,13 +684,18 @@
 mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
 install -m 644 %{SOURCE19} %{buildroot}%{_rpmconfigdir}/macros.d
 
+# install pam_user_map.so to /lib64/security for non 32bit architectures
+%ifnarch i586 %{arm} ppc
+mkdir -p %{buildroot}/%{_lib}/security
+mv %{buildroot}/lib/security/pam_user_map.so %{buildroot}/%{_lib}/security/
+%endif
 
 %check
 cd build
 
 # Run an extensive mysql test suite
-# If 0%{ignore_testsuite_result} == 1 then run all tests but ignore failures
-# If 0%{ignore_testsuite_result} == 0 then skip tests listed in unstable-tests
+# If ignore_testsuite_result == 1 then run all tests but ignore failures
+# If ignore_testsuite_result == 0 then skip tests listed in unstable-tests
 # (contains suse_skipped_tests.list) and don't ignore failures
 
 %if 0%{run_testsuite} > 0
@@ -716,6 +742,8 @@
 %service_add_post mariadb.service
 %tmpfiles_create %{_tmpfilesdir}/mariadb.conf
 
+%set_permissions %{_libdir}/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
+
 # SLE11 Migration support
 for i in protected tmp; do
     rmdir "$datadir"/.$i 2>/dev/null || :
@@ -737,14 +765,25 @@
 EOF
 fi
 
-# Warn on first run
+# Decide if the upgrade is needed
 datadir="`%{_bindir}/my_print_defaults mysqld mysql_server | sed -n 
's|--datadir=||p'`"
 [ -n "$datadir" ] || datadir="%{_localstatedir}/lib/mysql"
+
+# NOTE: .run-mysql_upgrade was moved and renamed to .mariadb_run_upgrade. 
Remove the old file and
+# create a new one if needed.
+rm -f "$datadir/.run-mysql_upgrade"
 if [ -d "$datadir/mysql" ]; then
-    touch "$datadir/.run-mysql_upgrade"
-    chmod 640 "$datadir/.run-mysql_upgrade"
+       touch "%{_localstatedir}/lib/misc/.mariadb_run_upgrade"
 fi
-if [ \! -f "$datadir/mysql_upgrade_info" ]; then
+
+# Manage showing of a README or upgrade messages
+# NOTE: mysql_upgrade_info was moved and renamed to mariadb_upgrade_info. Copy 
the content and remove it
+if [ -f "$datadir/mysql_upgrade_info" ]; then
+       cat "$datadir/mysql_upgrade_info" > 
"%{_localstatedir}/lib/misc/mariadb_upgrade_info"
+       rm -f "$datadir/mysql_upgrade_info"
+fi
+
+if [ \! -f "%{_localstatedir}/lib/misc/mariadb_upgrade_info" ]; then
     if [ $1 -eq 1 ]; then
         cat >> 
%{_localstatedir}/adm/update-messages/%{name}-%{version}-%{release}-something 
<< EOF
 
@@ -754,8 +793,8 @@
     fi
 else
     MYSQLVER="`echo %{version} | sed 's|\.[0-9]\+$||'`"
-    if [ -f "$datadir/mysql_upgrade_info" ] && \
-        [ -z "`grep "^$MYSQLVER" "$datadir/mysql_upgrade_info" 2> /dev/null`" 
]; then
+    if [ -f "%{_localstatedir}/lib/misc/mariadb_upgrade_info" ] && \
+        [ -z "`grep "^$MYSQLVER" 
"%{_localstatedir}/lib/misc/mariadb_upgrade_info" 2> /dev/null`" ]; then
     cat >> 
%{_localstatedir}/adm/update-messages/%{name}-%{version}-%{release}-something 
<< EOF
 
 WARNING: You are upgrading from different stable version of MySQL!
@@ -769,6 +808,9 @@
 fi
 exit 0
 
+%verifyscript
+%verify_permissions %{_libdir}/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
+
 %preun
 %service_del_preun mariadb.service
 
@@ -783,6 +825,7 @@
 %dir %attr(0755, root, mysql) %{_sysconfdir}/my.cnf.d
 %config(noreplace) %attr(0644, root, mysql) %{_sysconfdir}/my.cnf.d/*
 %exclude %{_sysconfdir}/my.cnf.d/50-galera.cnf
+%config(noreplace) %{_sysconfdir}/security/user_map.conf
 %config %{_sysconfdir}/logrotate.d/%{name}
 %doc %{_defaultdocdir}/%{name}
 %dir %{_libexecdir}/mysql
@@ -795,6 +838,7 @@
 %{_unitdir}/mysql@.service
 %{_tmpfilesdir}/mariadb.conf
 %{_sbindir}/rcmysql
+%{_sbindir}/rcmariadb
 %dir %{_datadir}/%{name}
 %dir %{_datadir}/mysql
 %{_datadir}/%{name}/charsets/
@@ -805,6 +849,12 @@
 %dir %{_libdir}/mysql/plugin
 %{_libdir}/mysql/plugin/*.so
 %exclude %{_libdir}/mysql/plugin/dialog*.so
+%if 0%{with_cracklib_plugin} > 0
+%exclude %{_libdir}/mysql/plugin/cracklib_password_check.so
+%endif
+/%{_lib}/security/pam_user_map.so
+%dir %attr(0750, root, mysql) %{_libdir}/mysql/plugin/auth_pam_tool_dir
+%verify(not mode) %attr(4755,root,root) 
%{_libdir}/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
 %ghost 
%{_localstatedir}/adm/update-messages/%{name}-%{version}-%{release}-something
 %dir %attr(0750, mysql, mysql) %{_localstatedir}/lib/mysql-files
 %if 0%{with_mroonga} > 0
@@ -857,7 +907,6 @@
 %{_datadir}/sql-bench
 
 %files test -f mariadb-test.files
-%{_bindir}/my_safe_process
 %{_bindir}/test-connect-t
 %{_mandir}/man1/my_safe_process.1%{?ext_man}
 %{_mandir}/man1/mysql-test-run.pl.1%{?ext_man}
@@ -872,4 +921,9 @@
 %{_bindir}/mysqlanalyze
 %{_bindir}/mysqloptimize
 
+%if 0%{with_cracklib_plugin} > 0
+%files cracklib-password-check
+%{_libdir}/mysql/plugin/cracklib_password_check.so
+%endif
+
 %changelog

++++++ _constraints ++++++
--- /var/tmp/diff_new_pack.NVrrpy/_old  2020-02-25 16:00:53.683978268 +0100
+++ /var/tmp/diff_new_pack.NVrrpy/_new  2020-02-25 16:00:53.683978268 +0100
@@ -7,7 +7,7 @@
     </conditions>
     <hardware>
       <physicalmemory>
-        <size unit="G">6</size>
+        <size unit="G">10</size>
       </physicalmemory>
       <memory>
         <size unit="G">10</size>

++++++ macros.mariadb-test ++++++
--- /var/tmp/diff_new_pack.NVrrpy/_old  2020-02-25 16:00:53.703978187 +0100
+++ /var/tmp/diff_new_pack.NVrrpy/_new  2020-02-25 16:00:53.707978171 +0100
@@ -11,6 +11,7 @@
 #
 
 %mysql_testserver_start(u:p:t:) \
+exit 0 \
 TEST_RUN_DIR=%{__mysql_test_run_dir} \
 TEST_USER="%{-u:%{-u*}}" \
 if [ -z "$TEST_USER" ]; then \

++++++ mariadb-10.2.4-fortify-and-O.patch ++++++
--- /var/tmp/diff_new_pack.NVrrpy/_old  2020-02-25 16:00:53.719978122 +0100
+++ /var/tmp/diff_new_pack.NVrrpy/_new  2020-02-25 16:00:53.719978122 +0100
@@ -9,14 +9,14 @@
 ===================================================================
 --- CMakeLists.txt.orig
 +++ CMakeLists.txt
-@@ -236,7 +236,6 @@ IF(NOT WITH_TSAN)
-     MY_CHECK_AND_SET_COMPILER_FLAG("-pie -fPIC")
-     MY_CHECK_AND_SET_COMPILER_FLAG("-Wl,-z,relro,-z,now")
-     MY_CHECK_AND_SET_COMPILER_FLAG("-fstack-protector 
--param=ssp-buffer-size=4")
--    MY_CHECK_AND_SET_COMPILER_FLAG("-D_FORTIFY_SOURCE=2" RELEASE 
RELWITHDEBINFO)
-   ENDIF()
+@@ -238,7 +238,6 @@ IF(SECURITY_HARDENED AND NOT WITH_ASAN A
+   MY_CHECK_AND_SET_COMPILER_FLAG("-pie -fPIC")
+   MY_CHECK_AND_SET_COMPILER_FLAG("-Wl,-z,relro,-z,now")
+   MY_CHECK_AND_SET_COMPILER_FLAG("-fstack-protector 
--param=ssp-buffer-size=4")
+-  MY_CHECK_AND_SET_COMPILER_FLAG("-D_FORTIFY_SOURCE=2" RELEASE RELWITHDEBINFO)
  ENDIF()
  
+ INCLUDE(wsrep)
 Index: storage/tokudb/PerconaFT/cmake_modules/TokuSetupCompiler.cmake
 ===================================================================
 --- storage/tokudb/PerconaFT/cmake_modules/TokuSetupCompiler.cmake.orig
@@ -33,7 +33,7 @@
      )
  endif ()
  
-@@ -103,23 +101,23 @@ set_cflags_if_supported(
+@@ -102,23 +100,23 @@ set_cflags_if_supported(
  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fexceptions")
  
  ## set extra debugging flags and preprocessor definitions
@@ -65,7 +65,7 @@
  else ()
    if (APPLE)
      set(FLTO_OPTS "-fwhole-program")
-@@ -127,10 +125,10 @@ else ()
+@@ -126,10 +124,10 @@ else ()
      set(FLTO_OPTS "-fuse-linker-plugin")
    endif()
    # we overwrite this because the default passes -DNDEBUG and we don't want 
that

++++++ mariadb-10.4.12-fix-install-db.patch ++++++
Index: mariadb-10.4.12/scripts/mysql_install_db.sh
===================================================================
--- mariadb-10.4.12.orig/scripts/mysql_install_db.sh
+++ mariadb-10.4.12/scripts/mysql_install_db.sh
@@ -482,20 +482,22 @@ if test -n "$user"
 then
   if test -z "$srcdir" -a "$in_rpm" -eq 0
   then
-    chown 0 "$pamtooldir/auth_pam_tool_dir/auth_pam_tool" && \
-    chmod 04755 "$pamtooldir/auth_pam_tool_dir/auth_pam_tool"
-    if test $? -ne 0
+    tool_ownership=`stat -c "%U:%G" 
"$pamtooldir/auth_pam_tool_dir/auth_pam_tool"`
+    tool_mode=`stat -c "%a" "$pamtooldir/auth_pam_tool_dir/auth_pam_tool"`
+
+    if test "$tool_ownership" != "root:root" -o "$tool_mode" != "4755"
     then
-        echo "Couldn't set an owner to 
'$pamtooldir/auth_pam_tool_dir/auth_pam_tool'."
-        echo "It must be root, the PAM authentication plugin doesn't work 
otherwise.."
+        echo "Permissions/ownership of the 
'$pamtooldir/auth_pam_tool_dir/auth_pam_tool' file are bad."
+        echo "It must be owned by root:root and have mode 4750."
         echo
     fi
-    chown $user "$pamtooldir/auth_pam_tool_dir" && \
-    chmod 0700 "$pamtooldir/auth_pam_tool_dir"
-    if test $? -ne 0
+
+    dir_ownership=`stat -c "%U:%G" "$pamtooldir/auth_pam_tool_dir"`
+    dir_mode=`stat -c "%a" "$pamtooldir/auth_pam_tool_dir"`
+    if test "$dir_ownership" != "root:mysql" -o "$dir_mode" != "750"
     then
-        echo "Cannot change ownership of the '$pamtooldir/auth_pam_tool_dir' 
directory"
-        echo "to the '$user' user. Check that you have the necessary 
permissions and try again."
+        echo "Permissions/ownership of the '$pamtooldir/auth_pam_tool_dir' 
directory are bad."
+        echo "It must be owned by root:mysql and have mode 0750, the PAM 
authentication plugin doesn't work otherwise.."
         echo
     fi
   fi
++++++ mariadb-10.4.12-harden_setuid.patch ++++++
SUSE specific patch that hardens the auth_pam_tool setuid-root binary.
Matthias Gerstner wants it as a prerequisite for allowing auth_pam_tool
setuid-root binary in [bsc#1160285].

Index: mariadb-10.4.12/plugin/auth_pam/auth_pam_base.c
===================================================================
--- mariadb-10.4.12.orig/plugin/auth_pam/auth_pam_base.c
+++ mariadb-10.4.12/plugin/auth_pam/auth_pam_base.c
@@ -149,6 +149,12 @@ static int pam_auth_base(struct param *p
   const char *service = info->auth_string && info->auth_string[0]
                           ? info->auth_string : "mysql";
 
+  if( strcmp(service, "mysql") != 0 )
+  {
+         PAM_DEBUG((stderr, "PAM: rejecting non-standard PAM service %s\n", 
service));
+         return CR_ERROR;
+  }
+
   param->ptr = param->buf + 1;
 
   PAM_DEBUG((stderr, "PAM: pam_start(%s, %s)\n", service, info->user_name));
++++++ mariadb-10.3.20.tar.gz -> mariadb-10.4.12.tar.gz ++++++
/work/SRC/openSUSE:Factory/mariadb/mariadb-10.3.20.tar.gz 
/work/SRC/openSUSE:Factory/.mariadb.new.26092/mariadb-10.4.12.tar.gz differ: 
char 5, line 1

++++++ mariadb-rpmlintrc ++++++
# This file contains a list of exceptions for rpmlint checker

# Zero-length
# Some test results can be zero-length files
addFilter(r'(zero-length|pem-certificate) /usr/share/mysql-test/*')

# Permissions
# wsrep_sst_common
#   It contains a parser of arguments for other sst scripts.
#   It is meant to be sourced, not to be executed alone.
#   So it correctly does not have shebang nor executable bit.
addFilter(r'non-executable-in-bin /usr/bin/wsrep_sst_common 644')
addFilter(r'script-without-shebang /usr/bin/wsrep_sst_common')

# Wrong location
# wsrep_check_version is a wsrep version check utility. Used in testing only.
addFilter(r'arch-dependent-file-in-usr-share .* 
/usr/share/mysql-test/lib/My/SafeProcess/wsrep_check_version')
# my_safe_process is an utility that encapsulates process creation, monitoring 
and cleanup. Used in testing only.
addFilter(r'arch-dependent-file-in-usr-share .* 
/usr/share/mysql-test/lib/My/SafeProcess/my_safe_process')
# pam_mariadb_mtr.so is a pam module to test pam authentication plugin. Used in 
pam.test only.
addFilter(r'arch-dependent-file-in-usr-share .* 
/usr/share/mysql-test/suite/plugins/pam/pam_mariadb_mtr.so')
++++++ mariadb.service ++++++
--- /var/tmp/diff_new_pack.NVrrpy/_old  2020-02-25 16:00:53.811977749 +0100
+++ /var/tmp/diff_new_pack.NVrrpy/_new  2020-02-25 16:00:53.811977749 +0100
@@ -20,21 +20,53 @@
 #      EOF
 
 [Unit]
-Description=MySQL server
+Description=MariaDB database server
+Documentation=man:mysqld(8)
+Documentation=https://mariadb.com/kb/en/library/systemd/
 Wants=basic.target
 Conflicts=mariadb.target
 After=basic.target network.target 
 
+[Install]
+WantedBy=multi-user.target
+Alias=mysql.service
+
 [Service]
-Restart=on-abort
-Type=notify
 ExecStartPre=/usr/lib/mysql/mysql-systemd-helper  install
 ExecStartPre=/usr/lib/mysql/mysql-systemd-helper  upgrade
 ExecStart=/usr/lib/mysql/mysql-systemd-helper     start
 
+Type=notify
+User=mysql
+Group=mysql
+
+KillSignal=SIGTERM
+
+# Don't want to see an automated SIGKILL ever
+SendSIGKILL=no
+
+# Restart crashed server only, on-failure would also restart, for example, when
+# my.cnf contains unknown option
+Restart=on-abort
+RestartSec=5s
+
 # Configures the time to wait for start-up/stop
 TimeoutSec=300
 
-[Install]
-WantedBy=multi-user.target
-Alias=mysql.service
+# CAP_IPC_LOCK To allow memlock to be used as non-root user
+# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read 
/etc/shadow when it's chmod 0
+#   does nothing for non-root, not needed if /etc/shadow is u+r
+# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+
+# Prevent writes to /usr, /boot, and /etc
+ProtectSystem=full
+
+# Prevent accessing /home, /root and /run/user
+ProtectHome=true
+
+# Execute pre and post scripts as root, otherwise it does it as User=
+PermissionsStartOnly=true
+
+UMask=007
+

++++++ mariadb@.service ++++++
--- /var/tmp/diff_new_pack.NVrrpy/_old  2020-02-25 16:00:53.847977603 +0100
+++ /var/tmp/diff_new_pack.NVrrpy/_new  2020-02-25 16:00:53.847977603 +0100
@@ -20,21 +20,53 @@
 #      EOF
 
 [Unit]
-Description=MySQL server - %I instance
+Description=MariaDB database server - %I instance
+Documentation=man:mysqld(8)
+Documentation=https://mariadb.com/kb/en/library/systemd/
 Wants=basic.target
 PartOf=mariadb.target
 After=basic.target network.target
 
+[Install]
+WantedBy=multi-user.target
+Alias=mysql.service
+
 [Service]
-Restart=on-abort
-Type=notify
 ExecStartPre=/usr/lib/mysql/mysql-systemd-helper  install %i
 ExecStartPre=/usr/lib/mysql/mysql-systemd-helper  upgrade %i
 ExecStart=/usr/lib/mysql/mysql-systemd-helper     start   %i
 
+Type=notify
+User=mysql
+Group=mysql
+
+KillSignal=SIGTERM
+
+# Don't want to see an automated SIGKILL ever
+SendSIGKILL=no
+
+# Restart crashed server only, on-failure would also restart, for example, when
+# my.cnf contains unknown option
+Restart=on-abort
+RestartSec=5s
+
 # Configures the time to wait for start-up/stop
 TimeoutSec=300
 
-[Install]
-WantedBy=multi-user.target
-Alias=mysql.service
+# CAP_IPC_LOCK To allow memlock to be used as non-root user
+# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read 
/etc/shadow when it's chmod 0
+#   does nothing for non-root, not needed if /etc/shadow is u+r
+# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+
+# Prevent writes to /usr, /boot, and /etc
+ProtectSystem=full
+
+# Prevent accessing /home, /root and /run/user
+ProtectHome=true
+
+# Execute pre and post scripts as root, otherwise it does it as User=
+PermissionsStartOnly=true
+
+UMask=007
+

++++++ mysql-systemd-helper ++++++
--- /var/tmp/diff_new_pack.NVrrpy/_old  2020-02-25 16:00:53.879977473 +0100
+++ /var/tmp/diff_new_pack.NVrrpy/_new  2020-02-25 16:00:53.879977473 +0100
@@ -10,6 +10,9 @@
        MYSQLVER="$(echo @MYSQLVER@ | sed 's|\.[0-9]\+$||')"
        mysql_daemon_user=mysql
        mysql_daemon_group=mysql
+       # status information directory (e.g. info about a necessity of upgrade, 
current version etc)
+       mariadb_status_dir="/var/lib/misc"
+       
        if [[ -z "$INSTANCE" ]]; then
                datadir=/var/lib/mysql
                socket="/run/mysql/mysql.sock"
@@ -54,8 +57,7 @@
                echo "Creating MySQL privilege database... "
                mysql_install_db --rpm --user="$mysql_daemon_user" 
--datadir="$datadir" || \
                die "Creation of MySQL database in $datadir failed"
-               echo -n "$MYSQLVER" > "$datadir"/mysql_upgrade_info
-               chmod 640 "$datadir/mysql_upgrade_info"
+               echo -n "$MYSQLVER" > "$mariadb_status_dir"/mariadb_upgrade_info
        fi
 }
 
@@ -63,7 +65,7 @@
 mysql_upgrade() {
        # Run mysql_upgrade on every package install/upgrade. Not always
        # necessary, but doesn't do any harm.
-       if [[ -f "$datadir/.run-mysql_upgrade" ]]; then
+       if [[ -f "$mariadb_status_dir/.mariadb_run_upgrade" ]]; then
                echo "Checking MySQL configuration for obsolete options..."
                sed -i -e 
's|^\([[:blank:]]*\)skip-locking|\1skip-external-locking|' \
                       -e 's|^\([[:blank:]]*skip-federated\)|#\1|' /etc/my.cnf
@@ -116,10 +118,9 @@
                if /usr/bin/mysql_upgrade --no-defaults --force 
--socket="$protected/mysql.sock"; then
                        echo "Everything upgraded successfully"
                        up_ok=""
-                       rm -f "$datadir/.run-mysql_upgrade"
-                       [[ $(grep -q "^$MYSQLVER" "$datadir/mysql_upgrade_info" 
2> /dev/null) ]] || \
-                               echo -n "$MYSQLVER" > 
"$datadir/mysql_upgrade_info"
-                               chmod 640 "$datadir/mysql_upgrade_info"
+                       rm -f "$mariadb_status_dir/.mariadb_run_upgrade"
+                       [[ $(grep -q "^$MYSQLVER" 
"$mariadb_status_dir/mariadb_upgrade_info" 2> /dev/null) ]] || \
+                               echo -n "$MYSQLVER" > 
"$mariadb_status_dir/mariadb_upgrade_info"
                else
                        echo "Upgrade failed"
                        up_ok="false"
@@ -178,10 +179,8 @@
 
 INSTANCE="$2"
 read_config
-mkdir -p /run/mysql
-# fix permissions for /run/mysql (bsc#1038740)
-chmod 755 /run/mysql
-chown --no-dereference "$mysql_daemon_user:$mysql_daemon_group" /run/mysql
+# Make sure that /run/mysql is created and has correct permissions 
(bsc#1038740)
+systemd-tmpfiles --create /usr/lib/tmpfiles.d/mariadb.conf
 case "$1" in
        install)
                mysql_install ;;

++++++ suse_skipped_tests.list ++++++
--- /var/tmp/diff_new_pack.NVrrpy/_old  2020-02-25 16:00:53.907977359 +0100
+++ /var/tmp/diff_new_pack.NVrrpy/_new  2020-02-25 16:00:53.907977359 +0100
@@ -17,16 +17,30 @@
 rpl.rpl_row_img_eng_min                      : all MDEV-13875
 rpl.rpl_row_img_eng_noblob                   : all MDEV-13875
 
+# The tests of plugins we don't build
+main.plugin_auth                             : since 10.4.10 - all, we don't 
build mysql_clear_password plugin
+plugins.auth_ed25519                         : since 10.4.10 - all, we don't 
build client_ed25519 plugin
+plugins.multiauth                            : since 10.4.10 - all, we don't 
build client_ed25519 plugin
+unit.ed25519                                 : since 10.4.12 - ppc, we don't 
build client_ed25519 plugin
+
 #----------------------------------------------------------------
 
 # Needs to be investigated (issues trackers will be added)
 sys_vars.slave_parallel_threads_basic        : since 10.3.16 - x86_64, i386, 
s390x, armv7l, aarch64, ppc64, ppc64le
-rocksdb.2pc_group_commit                     : since 10.3.16 - x86_64 
MDEV-14455
-rocksdb.read_only_tx                         : since 10.3.16 - x86_64 rocksdb 
tests are considered unstable
-rocksdb.shutdown                             : since 10.3.16 - x86_64 rocksdb 
tests are considered unstable
-rocksdb.index_merge_rocksdb                  : since 10.3.16 - x86_64 rocksdb 
tests are considered unstable
-rocksdb_rpl.mdev12179                        : since 10.3.16 - x86_64 
MDEV-16632
 main.gis_notembedded                         : since 10.3.16 - x86_64, i386, 
s390x, armv7l, aarch64, ppc64, ppc64le
 versioning.partition                         : since 10.3.16 - armv7l
 innodb.innodb-page_compression_lzma          : since 10.3.20 - armv7l
-
+sys_vars.sysvars_wsrep                       : since 10.4.12 - ppc
+rpl.rpl_ip_mix                               : since 10.4.10 - all
+rpl.rpl_ip_mix2                              : since 10.4.10 - all
+rpl.rpl_ipv4_as_ipv6                         : since 10.4.10 - all
+rpl.rpl_ipv6                                 : since 10.4.10 - all 
+perfschema.socket_instances_func             : since 10.4.10 - all 
+main.ipv4_and_ipv6                           : since 10.4.10 - all 
+main.ipv4_as_ipv6                            : since 10.4.10 - all 
+main.ipv6                                    : since 10.4.10 - all 
+main.information_schema                      : since 10.4.10 - all 
+main.system_mysql_db                         : since 10.4.10 - all 
+main.gis_notembedded                         : since 10.4.10 - all 
+funcs_1.is_columns_mysql                     : since 10.4.10 - all 
+sys_vars.tcp_nodelay                         : since 10.4.10 - all