libmariadb3 fails to include caching_sha2_password.so

Hi Daniel!
Thanks for this very detailed and useful report.

The fix was merged 2 weeks ago https://salsa.debian.org/mariadb-team/mariadb-10.3/-/merge_requests/30 but I am not sure when it will hit Ubuntu.

Maybe Otto could confirm?

The MR linked above was merged on the Buster branch, see https://salsa.debian.org/mariadb-team/mariadb-10.3/-/network/buster

It is not on the Ubuntu branches currently.

The Buster branch is also not yet uploaded, as it is pending permission from Debian release managers to get uploaded in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988255

I changed the metadata of this Launchpad issue to indicate the severity of the issue, and will later champion this change into a stable Ubuntu release update.

As said in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988255 the fix will be provided in next Debian 10.10 update point.

@otto, I have no idea when this will hit Ubuntu though.

At https://tracker.debian.org/pkg/mariadb-10.3 one can see the overview for MariaDB 10.3.

The bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988255 was fixed in 1:10.3.29-0+deb10u1 which is now in Debian stable (Buster) and from https://launchpad.net/ubuntu/+source/mariadb-10.3 one can see that 1:10.3.29-0ubuntu0.20.10.1 is in Groovy and 1:10.3.29-0ubuntu0.20.04.1 in Focal.

However the commit https://salsa.debian.org/mariadb-team/mariadb-10.3/-/commit/4562041f1afdcce5a313fc70478a0fbf789966a1 went only on the Buster branch on Salsa. We need to apply it also on the Groovy and Focal branches next time we upload. MariaDB 10.3.10 would be a candidate, but it is not a security release. I don't remember if we ever shipped "stable udpates" into Ubuntu and what is the process. Maybe we will wait until August for 10.3.31 and put this commit in there..?

This is a critical bug. More so on Ubuntu because of it installing MySQL by default. It affects all default connections to the MySQL with MariaDB connector/C and its dependent library, and every application that depends on this libmariadb3.

I thought the merge 5 months ago into buster would of made it to the 2 months ago 10.2.29 release. Odd, but so was the 10.5 only #962597 fix.

If you don't want to package 10.3.30 because it only includes bug fixes and not security fixes, ok, but package increment on libmariadb3-1:10.3.29 to resolve this please.

Filed https://bugs.launchpad.net/ubuntu/+source/mariadb-10.3/+bug/1936727 to get SRU into Ubuntu, following steps outlined at https://wiki.ubuntu.com/StableReleaseUpdates

This bug was fixed in the package mariadb-10.3 - 1:10.3.30-0ubuntu0.20.04.1

---------------
mariadb-10.3 (1:10.3.30-0ubuntu0.20.04.1) focal-security; urgency=medium

  * New upstream version 10.3.30 includes fixes for a critical bug that
    was compromising the results of some type of queries (subqueries with
    group by): https://jira.mariadb.org/browse/MDEV-25714 (LP: #1936727)
  * Fix Perl executable path in scripts (stop using 'env') (Closes: #991472)
    Upstream MariaDB has broken shebangs (#!/usr/bin/env perl) in several
    scripts, thus rendering them potentially loading the wrong Perl version
    and rendering the scripts unusable. Fixing the shebang recovers correct
    behaviour.

  [ Daniel Black ]
  * Add caching_sha2_password.so (Closes: #962597) (LP: #1913676)

 -- Otto Kekäläinen <email address hidden> Sat, 17 Jul 2021 15:59:58 -0700