Software Update: MariaDB 10.5.8 / 10.4.17 / 10.3.27 / 10.2.36

Spread the love

MariaDB originated as a fork of MySQL, after it was acquired by Oracle in 2009-2010. For an overview of the differences between MariaDB and MySQL you can visit: this one and this one pages right. MariaDB is a powerful open source database server, which is especially popular as a website and forum database. The developers have released versions 10.5.8, 10.4.17, 10.3.27 and 10.2.36. The first stable from the 10.5 branch is from June 2020, the first stable from the 10.4.x branch is from June 2019, the first stable from the 10.3.x branch is from May 2018 and the first stable from 10.2. x-tak is from May 2017. All four have received support for five years. The abbreviated announcements for these releases are as follows:

Emergency Release of MariaDB 10.5.8, 10.4.17, 10.3.27, and 10.2.36 is now available

The MariaDB Foundation is pleased to announce the availability of MariaDB 10.5.8, MariaDB 10.4.17, MariaDB 10.3.27, and MariaDB 10.2.36, the latest stable releases in their respective series.

Why do we release MariaDB again only a week after the 10.5.7, 10.4.16, etc? What’s the emergency?

The previous, scheduled, set of releases (10.2 and up) included a security related change — MariaDB server became more strict about accepting network packets from the client. It never was particularly trusting, but still there was a loophole in the handling of prepared statements where the server just assumed that the client sends the correct data. Not anymore, since early November the server strictly validates all incoming packets and rejects invalid ones. This made the server more secure against malicious clients intentionally sending specially crafted invalid packets.

Alas, it turned out that some popular connectors routinely send invalid packets violating protocol specifications. Among those connectors are old versions of the mysqlnd in PHP (fixed in PHP 7.3) and all versions of mysql-connector-python and mysql-connector-j. Luckily, mysql-connector-c implements the protocol correctly according to the specifications.

But regardless of where the bug is, from the user point of view it’s MariaDB upgrade that broke their applications. And they cannot always move to PHP 7.3 or wait for Oracle to fix connectors.

To help them we released today an emergency bug fix that partially relaxes packet validation and allows garbage at the end of the packet that these connectors send. It does not make the server less secure as long as the server is not trying to use this garbage. Note that 10.1.48 was not affected, and did not have to be re-released.

And we now test third-party connectors in our buildbot to make sure MariaDB protocol changes will not break them again the future.

Additionally we have used the chance to release fixes for bugs in InnoDB handling of indexed virtual columns and optimizations of long IN lists.

Version number 10.5.8 / 10.4.17 / 10.3.27
Release status Final
Operating systems Windows 7, Linux, BSD, macOS, Solaris, UNIX, Windows Server 2012, Windows 8, Windows 10, Windows Server 2016
Website MariaDB
Download https://downloads.mariadb.org/mariadb/
License type Conditions (GNU/BSD/etc.)
You might also like