Over the past few days extensive conversations around a new security vulnerability in MariaDB and MySQL have taken place.

It all started as a chain reaction when Monty Program publicly disclosed information about the flaw they had found and about how to make sure your MariaDB and MySQL installations can be fixed. The initial information got assigned the security vulnerabitlity identifier CVE-2012-2122 and the contents can be seen e.g. here http://seclists.org/oss-sec/2012/q2/493.

The bug was found two months ago on April 4th.

Before disclosing the information publicly, given the seriousness of this bug and considering the millions of MySQL and MariaDB installations deployed worldwide, Monty Program informed the biggest distributors of MySQL and MariaDB as a precaution.

On April 6th, Monty Program informed Oracle about it in bug report http://bugs.mysql.com/bug.php?id=64884 and provided a suggested fix.

The other big distributors of MySQL and MariaDB are the major Linux distributions that were alerted also in April and provided with a fix for old (unsupported by Oracle) MySQL versions. This gave Oracle and the Linux distributions some lead time to check if their MySQL and/or MariaDB builds were vulnerable and apply the provided fix if needed.

Whether your MySQL or MariaDB installation is vulnerable depends on where and how the binaries you use were built.

Official binaries of MariaDB, provided by Monty Program, MySQL binaries provided by Oracle and – in the case you use Percona’s provided binaries of their server – have all been tested. All these vendors have confirmed that the vulnerability isn’t present in their binaries and that it actually has never been present due to the way that the binaries are built.

All binaries listed on the SkySQL website are either official Oracle or official MariaDB binaries mirrored from dev.mysql.com/downloads and downloads.mariadb.org.

If you built your binaries yourself, you (or your database administrator) can easily test if your installation is vulnerable or not by following the instructions found e.g. here http://ronaldbradford.com/blog/repost-a-tragically-comedic-security-flaw-in-mysql-2012-06-11/.

In the case that you build or have built your own binaries another good piece of information is that the fix (getting rid of the problem independently of how you build) was first released in MariaDB in version 5.5.23 on April 10. Oracle followed by having the fix in MySQL 5.5.24 on May 7.

Most of us, MariaDB and MySQL users, do not have a need to build binaries on our own, i.e. we are on a platform that the official MariaDB and MySQL binaries are provided for and we do not have our own patches that would need to be applied before producing our own binaries.

For most of us it’s therefore recommended to get the binaries from the official channels, such as through the Linux distribution you use via the distribution’s repository or through the official download channel of the database, which in the case of MariaDB is http://downloads.mariadb.org.

Also, if you want to make sure that you’re on the latest version of MariaDB and you’re running on CentOS, Fedora, Debian, Red Hat or Ubuntu you should consider adding MariaDB’s official repository, http://downloads.mariadb.org/mariadb/repositories/.

MariaDB and/or MySQL packagers (such as Linux distributions) should make sure they sign up for the MariaDB mailing list intended for packagers at https://lists.askmonty.org/cgi-bin/mailman/listinfo/packagers to receive important notifications including early disclosure of security vulnerabilities, like this one.

If you’re not on the announce mailing list (low traffic) or following us on Facebook, you’ve missed the announcement of MariaDB 5.5.24 (release notes, changelog). Highlights include:

  • Includes all changes up to MariaDB 5.3.7 and MySQL 5.5.24
  • We’re providing RPM packages for RHEL/CentOS 5 & 6, as well as a YUM repository
  • Ubuntu 12.04 has been released, so we have “Precise” packages
  • There are now BSD 9 and Mac OS X 10.5 binaries as well

Many new ways to get and use MariaDB, download MariaDB 5.5.24 and let us know how you’re liking it. 

We’re quite happy that we’ve released four major releases that are production ready (better known as generally available or GA in the MySQL world) in the last 26 months. That is just a little over two years, and a whole lot of features. In that same time, MySQL has seen one GA release (MySQL 5.5) and we’re all eagerly awaiting the upcoming MySQL 5.6.

You’ll note that we built MariaDB 5.1, 5.2, and 5.3 based on the MySQL 5.1 codebase. A significant number of features went into MariaDB 5.3 (our biggest GA release to date), with the biggest changes in the optimizer in over a decade. There were also many replication based changes included like the now famous group commit for the binary log. Our Knowledgebase has a summary of MariaDB 5.3 features.

Work on MariaDB 5.3 started long before MySQL 5.5 went GA. It was a huge task to move all these 5.3 features into MariaDB 5.5 and at the same time merge MariaDB 5.5 with MySQL 5.5. It caused a significant delay in us getting a release of MariaDB 5.5 out there as production ready software. By now it must be clear that we included all changes in MariaDB 5.5 from 5.3, 5.2, and 5.1. We spent the time developing new features and keeping it current against current versions of MySQL.

We released MariaDB 5.5 in April and we have always aimed for short release cycles where possible to keep up with rapidly changing distributions. With this in mind many have been thinking about the release cycle from now onwards.

What will the next release of MariaDB, which we are working on, be called? We want to release our new features in a GA version soon and not wait for MySQL 5.6 to reach GA quality. But if we release a GA version before MySQL 5.6 is GA, it will be very confusing to call our release 5.6. In addition, this time there are no free version numbers between 5.5 and 5.6 like there were between 5.1 and 5.5 when we could use 5.2 and 5.3.

We are thinking of calling it MariaDB 10.0. It will include stable GA-ready features from MySQL 5.6 (these will be backported), as well as encompass some of our plans for the next release. It will be based on the MySQL 5.5 codebase. Then we plan to release MariaDB 10.1, MariaDB 10.2 and so on.

What happens when MySQL 5.6 is GA-ready? We’ll release a MariaDB version 11.0. It will include all the features of MariaDB 10, and encompass the features from the MySQL 5.6 codebase (that weren’t already backported into MariaDB in a previous release).

Does this mean we are veering away from being a backward compatible branch to MySQL? Of course not. We will be feature complete. We’re just in the lull of time between MySQL releases, in a similar fashion to what we did for MariaDB 5.2 and MariaDB 5.3. Astute followers will note that there is no MySQL 5.2 and 5.3.

Essentially this is just a change in the numbering scheme. A change which allows us to release more often than MySQL does. You are invited to contribute to the conversation on the maria-discuss mailing list.