GNU bug report logs - #47257
mariadb is vulnerable to CVE-2021-27928 (RCE)

Previous Next

Package: guix;

Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>

Date: Fri, 19 Mar 2021 10:26:02 UTC

Severity: normal

Tags: security

Done: Léo Le Bouter <lle-bout <at> zaclys.net>

Bug is archived. No further changes may be made.

Full log

Message #31 received at 47257 <at> debbugs.gnu.org (full text, mbox):

From: Mark H Weaver <mhw <at> netris.org>
To: Léo Le Bouter <lle-bout <at> zaclys.net>
Cc: 47257 <at> debbugs.gnu.org
Subject: Re: bug#47257: [PATCH 1/1] gnu: mariadb: Update to 10.5.9 [fixes
 CVE-2021-27928].
Date: Fri, 19 Mar 2021 20:42:33 -0400

Mark H Weaver <mhw <at> netris.org> writes:
> 'package/inherit' is usually the right thing when defining other kinds
> of package variants, however.

One addendum to this guideline: if the package variant you're defining
overrides the 'source' field[*], it's probably pointless to use
'package/inherit', because the fixes embodied in the original package's
replacement would most likely be lost anyway.

[*] One exception is if the overridden 'source' field merely adds some
additional patches to the original package, while taking care to
preserve any existing patches -- that last part is important, even if
the original package doesn't including any patches at the time you look.
In that case, 'package/inherit' might well be helpful.

More generally, when inheriting from another package, it's useful to ask
yourself what should happen if the package you're inheriting from is
later grafted, and to try to arrange for that to happen automatically.

     Thanks,
       Mark
This bug report was last modified 4 years and 50 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.