MariaDB is ontstaan als fork van MySQL, nadat dit in 2009-2010 door Oracle werd overgenomen. Voor een overzicht van de verschillen tussen MariaDB en MySQL kun je op deze en deze pagina’s terecht. MariaDB is een krachtige opensourcedatabaseserver, die vooral populair is als website- en forumdatabase. De ontwikkelaars hebben versies 10.5.8, 10.4.17, 10.3.27 en 10.2.36 uitgebracht. De eerste stable uit de 10.5-tak stamt uit juni 2020, de eerste stable uit de 10.4.x-tak is van juni 2019, de eerste stable uit de 10.3.x-tak is van mei 2018 en de eerste stable uit de 10.2.x-tak is van mei 2017. Alle vier hebben voor vijf jaar ondersteuning meegekregen. De beknopte aankondiging van deze uitgaves zien er als volgt uit: Emergency Release of MariaDB 10.5.8, 10.4.17, 10.3.27, and 10.2.36 is now available The MariaDB Foundation is pleased to announce the availability of MariaDB 10.5.8, MariaDB 10.4.17, MariaDB 10.3.27, and MariaDB 10.2.36, the latest stable releases in their respective series. Why do we release MariaDB again only a week after the 10.5.7, 10.4.16, etc? What’s the emergency? The previous, scheduled, set of releases (10.2 and up) included a security related change — MariaDB server became more strict about accepting network packets from the client. It never was particularly trusting, but still there was a loophole in the handling of prepared statements where the server just assumed that the client sends the correct data. Not anymore, since early November the server strictly validates all incoming packets and rejects invalid ones. This made the server more secure against malicious clients intentionally sending specially crafted invalid packets. Alas, it turned out that some popular connectors routinely send invalid packets violating protocol specifications. Among those connectors are old versions of the mysqlnd in PHP (fixed in PHP 7.3) and all versions of mysql-connector-python and mysql-connector-j. Luckily, mysql-connector-c implements the protocol correctly according to the specifications. But regardless of where the bug is, from the user point of view it’s MariaDB upgrade that broke their applications. And they cannot always move to PHP 7.3 or wait for Oracle to fix connectors. To help them we released today an emergency bug fix that partially relaxes packet validation and allows garbage at the end of the packet that these connectors send. It does not make the server less secure as long as the server is not trying to use this garbage. Note that 10.1.48 was not affected, and did not have to be re-released. And we now test third-party connectors in our buildbot to make sure MariaDB protocol changes will not break them again the future. Additionally we have used the chance to release fixes for bugs in InnoDB handling of indexed virtual columns and optimizations of long IN lists.
