Updated mariadb packages fix problems with mysql-connectors
Publication date: 13 Nov 2020Type: bugfix
Affected Mageia releases : 7
Description
Emergency release of MariaDB fixes problems with buggy mysql-connectors (PHP,Python and Java) The previous Mageia's MariaDB 10.3.26 included a security related change: MariaDB server became more strict about accepting network packets from the client. It never was particularly trusting, but still there was a loophole in the handling of prepared statements where the server just assumed that the client sends the correct data. Not anymore, since early November the server strictly validates all incoming packets and rejects invalid ones. This made the server more secure against malicious clients intentionally sending specially crafted invalid packets. Alas, it turned out that some popular connectors routinely send invalid packets violating protocol specifications. Among those connectors are old versions of the mysqlnd in PHP (fixed in PHP 7.3) and all versions of mysql-connector-python and mysql-connector-j. Luckily, mysql-connector-c implements the protocol correctly according to the specifications. But regardless of where the bug is, from the user point of view it’s MariaDB upgrade that broke their applications. And they cannot always move to PHP 7.3 or wait for Oracle (Java) to fix connectors. To help them, upstream released an emergency bug fix that partially relaxes packet validation and allows garbage at the end of the packet that these connectors send. It does not make the server less secure as long as the server is not trying to use this garbage.
References
SRPMS
7/core
- mariadb-10.3.27-1.mga7