GNU bug report logs -
#47257
mariadb is vulnerable to CVE-2021-27928 (RCE)
Previous Next
Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>
Date: Fri, 19 Mar 2021 10:26:02 UTC
Severity: normal
Tags: security
Done: Léo Le Bouter <lle-bout <at> zaclys.net>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
Hi Léo,
Léo Le Bouter via Bug reports for GNU Guix <bug-guix <at> gnu.org> writes:
> * gnu/packages/databases.scm (mariadb/fixed): New variable.
> (mariadb)[replacement]: Graft.
> ---
> gnu/packages/databases.scm | 33 +++++++++++++++++++++++++++++++++
> 1 file changed, 33 insertions(+)
>
> diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
> index 8be83f5cbe..6fdb22d7fb 100644
> --- a/gnu/packages/databases.scm
> +++ b/gnu/packages/databases.scm
> @@ -734,6 +734,7 @@ Language.")
> (append (find-files "extra/wolfssl")
> (find-files "zlib")))
> #t))))
> + (replacement mariadb/fixed)
> (build-system cmake-build-system)
> (outputs '("out" "lib" "dev"))
> (arguments
> @@ -969,6 +970,38 @@ Language.")
> as a drop-in replacement of MySQL.")
> (license license:gpl2)))
>
> +(define mariadb/fixed
> + (package/inherit mariadb
Please don't use 'package/inherit' when the package you're defining is a
replacement to the package you're inheriting from. It creates a package
object with an infinite chain of grafts. I guess that the infinite
chain gets truncated somewhere in the grafting machinery, but I seem to
recall that this kind of thing has caused real problems in the past.
'package/inherit' is usually the right thing when defining other kinds
of package variants, however.
Thanks again for all of your recent work on improving our security. It
is a great help.
Regards,
Mark
This bug report was last modified 4 years and 49 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.