From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id oMxZBySQVGDZYAAA0tVLHw (envelope-from ) for ; Fri, 19 Mar 2021 11:51:00 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id sJSLAiSQVGCAQAAAbx9fmQ (envelope-from ) for ; Fri, 19 Mar 2021 11:51:00 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 7018C18A64 for ; Fri, 19 Mar 2021 12:50:59 +0100 (CET) Received: from localhost ([::1]:56706 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lNDec-0003KO-IP for larch@yhetil.org; Fri, 19 Mar 2021 07:50:58 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:37802) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lNDV0-0004Yt-PU for bug-guix@gnu.org; Fri, 19 Mar 2021 07:41:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:37409) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lNDV0-0001qN-Cp for bug-guix@gnu.org; Fri, 19 Mar 2021 07:41:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lNDV0-0004l6-B3 for bug-guix@gnu.org; Fri, 19 Mar 2021 07:41:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47257: mariadb is vulnerable to CVE-2021-27928 (RCE) Resent-From: zimoun Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 19 Mar 2021 11:41:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47257 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: =?UTF-8?Q?L=C3=A9o?= Le Bouter , 47257@debbugs.gnu.org Received: via spool by 47257-submit@debbugs.gnu.org id=B47257.161615405518271 (code B ref 47257); Fri, 19 Mar 2021 11:41:02 +0000 Received: (at 47257) by debbugs.gnu.org; 19 Mar 2021 11:40:55 +0000 Received: from localhost ([127.0.0.1]:48955 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lNDUt-0004kd-66 for submit@debbugs.gnu.org; Fri, 19 Mar 2021 07:40:55 -0400 Received: from mail-wm1-f48.google.com ([209.85.128.48]:40768) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lNDUo-0004kJ-Sw for 47257@debbugs.gnu.org; Fri, 19 Mar 2021 07:40:54 -0400 Received: by mail-wm1-f48.google.com with SMTP id y124-20020a1c32820000b029010c93864955so7138852wmy.5 for <47257@debbugs.gnu.org>; Fri, 19 Mar 2021 04:40:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:in-reply-to:references:date:message-id:mime-version :content-transfer-encoding; bh=rV7gS82r3f5ofvDazkQk6Yt1PSYrmKiG3P+kbQyxl1U=; b=W0gPYEjfttgdfeE8bolal4b8t0iSaYlprgu7xDiqKRw7AVxYEntVvFqdoZlxqb6pty xV7HER0aOxXw8XPCrarAdxjamELUqdhkwcLjLIVW9WzxP+2QPQTclizwLh9GxT1wxPOx mUBKZX65JT76QAElLFdvZgAxDOiTOpgF8A8VDQFtDW+IhIluV6DEQFdGY9sQNuYJ1JUz adD4R7fG5gBLyPHS71RmjpKEf+AJJeKyoyIJVwd6RgnZ95hSrM+oYcRGMmPGSMVyFlQX WHGuxe45yMYq2Tjko2TG5zjJ0L6bwZ6owFSLW6T9p+ekL7VwnZxbR4C3Dkm6LhcFYkDc wwVg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:in-reply-to:references:date :message-id:mime-version:content-transfer-encoding; bh=rV7gS82r3f5ofvDazkQk6Yt1PSYrmKiG3P+kbQyxl1U=; b=mtc0a+4VhcCstp+HCly70PXHQ2Vnf+E2T+/tsEEH3VkpVMtie6Fmi8wunvBJjJTPvf F3ZsSJxsUB1g3NdnkEuMO+CNkhSM/I/l8dt4HOH15lYxP0x4c2uJUD1+GFGP9XbUnfGB C7uSf4BMsY3hr+4OdtlpgtHvZCjuNaZvJccGmvuNTTw5cn1096K8256q6A0OSKteiN/D jYU+6Wg/IQiWBYCxB1v4Z99Aej66A7+IgtkFYNDBcxl1ATTGWMn+sJPPyIfeb8tUL9vu W9cc9o/hYPHbQp/edOdjZyqYy8lrIUkKtw9alThOj5qmowXCoILbtcTra/Q803kW68OK HrRg== X-Gm-Message-State: AOAM530g26NTJRmZhqSF+0tPbV0Ll5jrvAUCykzA1ebLajf51ZT6vbGm B8Ghml9SjdaTqyL5gvsDPaq8Xcr7Bto= X-Google-Smtp-Source: ABdhPJyxfuGuNryxMvV0XM6J7KDjkQtzv5LU9mx/wUfI3MfDE4LTgG7eHZME+KgkEbJ/nikUCzRTwA== X-Received: by 2002:a1c:2016:: with SMTP id g22mr3329079wmg.137.1616154045089; Fri, 19 Mar 2021 04:40:45 -0700 (PDT) Received: from lili ([2a01:e0a:59b:9120:65d2:2476:f637:db1e]) by smtp.gmail.com with ESMTPSA id 18sm5865928wmj.21.2021.03.19.04.40.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Mar 2021 04:40:44 -0700 (PDT) From: zimoun In-Reply-To: <7d6d60c61fc372f62125ef5a36bc22956db5907e.camel@zaclys.net> References: <7d6d60c61fc372f62125ef5a36bc22956db5907e.camel@zaclys.net> Date: Fri, 19 Mar 2021 12:35:11 +0100 Message-ID: <86r1kbl6kw.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616154659; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=rV7gS82r3f5ofvDazkQk6Yt1PSYrmKiG3P+kbQyxl1U=; b=p1chhX2y3Yuxig0+r87MZWaMCsgTPPq/dnXJMq4Ujr9ucxrPMWJNJx1A7+Z/u3Zi9jrhaS n9wL73MFmZCjRxgb2kp5z/KpVN7qIIi1Oxl5TxcO+Yx2h8EOadVXDHpCjj6oX6Yp9kHeAu T2JASHFcsiOc2zJA+20B+xWWo4/nAG8aDelpUc0/Gr9C5+ZRP9mYcXnIdW0caP+a4bXdbJ i2zQ6OZ+67ToY4VLwRBcHN4t6Gn3nvbG/qP1Rc/YsP6VraiTw+RDKBOmyvG3WwmZGkMEPs ZrxFuY6xO4bsVopPgNTA4c/bOTVAA6RDbEmIakkllQjD9mX4jqedZXHG2VSVlQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616154659; a=rsa-sha256; cv=none; b=KYSUPXV2I8HjlSQpfKy/rpukELi7qtw+0mmkGTdCK3flltiOFiBE6zlBUP2z1yJPQvt6Cy isZyR7/e6sKtb4TOX2dQQUHBMSclhWdbJi3mAm8hAb4VAEBvaf51BPB/itTCJH14x/d9Eb F4MjE1dro+xLAewnt97JBfJC0zDNlpcxAnsGOKpi6y5FONkxM6zpfzNpppUxEzjCYyX/9x lSvftwBXsuWy81E1mWnBDNRZ36WTIR5jnSDajt9mX6MBbvz+hoeqkAm7WGNvmoWReyzhLe KDY7x1fX5kM2ZQVuH7omPZ6gTJAPC+yvsWtWMW0rJ29wBp/Dp5Z7DrYXL4AJ0g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20161025 header.b=W0gPYEjf; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -1.31 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20161025 header.b=W0gPYEjf; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 7018C18A64 X-Spam-Score: -1.31 X-Migadu-Scanner: scn0.migadu.com X-TUID: 3ohINE0Lx6FR Hi, On Fri, 19 Mar 2021 at 11:25, L=C3=A9o Le Bouter via Bug reports for GNU Gu= ix wrote: > Is it possible to graft mariadb you think? I am thinking this issue > doesnt need updating of the "lib" output which is what's causing the > high number of dependents AIUI. I am not sure we could actually update > individual outputs right now though. Might be a good idea to split the > packages for the future. Instead of grafting, I would fix first check the compatibility between mariadb and zstd. Because mariadb@10.5.8 does not build with zstd@1.4.9, at least on my machine. Other said, I seem better to do this fix as a whole on core-updates without any graft. Instead of grafting here and there; and not necessary small changes (zstd from 1.4.4 to 1.4.9, mariadb from 10.5.8 to 10.5.8). All the best, simon