Emergency Release of MariaDB 10.5.8, 10.4.17, 10.3.27, and 10.2.36 is now available

The MariaDB Foundation is pleased to announce the availability of MariaDB 10.5.8, MariaDB 10.4.17, MariaDB 10.3.27, and MariaDB 10.2.36, the latest stable releases in their respective series.

Why do we release MariaDB again only a week after the 10.5.7, 10.4.16, etc? What’s the emergency?

The previous, scheduled, set of releases (10.2 and up) included a security related change — MariaDB server became more strict about accepting network packets from the client. It never was particularly trusting, but still there was a loophole in the handling of prepared statements where the server just assumed that the client sends the correct data. …

Authentication in MariaDB 10.4 — Understanding the Changes

MariaDB Server 10.4 came with a whole lot of Security related changes. Some of them are merely optimizations (like MDEV-15649), some improve existing features to be more robust (MDEV-15473, MDEV-7598) or convenient (MDEV-12835, MDEV-16266). Some are MySQL compatibility features, requested by our users (MDEV-7597, MDEV-13095).

But the first thing any MariaDB Server user, whether an experienced veteran or a newbie, does — before even issuing the first SQL statement — is logging in. Authenticating to the database server. …

Duel: gdb vs. linked lists, trees, and hash tables

My first encounter with the gdb command duel was on some old IRIX about 15 years ago. I immediately loved how convenient it was for displaying various data structures during MySQL debugging, and I wished Linux had something similar. Later I found out that Duel was not something IRIX specific, but a public domain patch for gdb 4.6 written in ’93 by Michael Golan. Unfortunately, it never got into gdb (for licensing reasons, so I’ve heard). Now the gdb 8 is out, and the patch, obviously doesn’t apply. Instead of fixing the patch, I’ve re-implemented Duel in Python, using gdb Python API and the Arpeggio parser. …

Making life prettier with gdb PrettyPrinting API

Anyone who has peeked inside a gdb manual knows that gdb has some kind of Python API. And anyone who has skimmed through has seen something called “Pretty Printing” that supposedly tells gdb how to print complex data structures in a nice and readable way. Well, at least I have seen that, but I’ve never given it much thought. Still, one day, when I was typing:
(gdb) p/t table->read_set->bitmap[0] @ (table->read_set->n_bits+7)/8
for the umpteenth time I asked myself, “why the heck not?”, and so it begun…
(more…)

Who are you? The history of MySQL and MariaDB authentication protocols from 1997 to 2017

MySQL 3.20 to 4.0

In the good old days, when 32MB of RAM justified the name my-huge.cnf, when nobody knew Google and Facebook didn’t even exist, security was… how do I put it… kind of cute. Computer viruses didn’t steal millions and didn’t disrupt elections — they played Yankee Doodle or told you not to play with the PC. People used telnet and ftp, although some security conscious admins already knew ssh.

Somewhere around this time, give or take a few years, MySQL was born. And it had users, who had to be kept away from seeing others’ data, but allowed to use their own. …

MariaDB in Google Summer of Code 2016

And for the fourth year in a row, MariaDB Foundation participates in the Google Summer of Code! The MariaDB Organization in GSoC is an umbrella organization for all projects that belongs to the MariaDB ecosystem, be it MariaDB Server, MariaDB Connectors, or MariaDB MaxScale. The complete list of our suggested project ideas is in MariaDB Jira. This year we were granted 10 student slots (as compared to 8 last year, 5 in 2014, and 3 in 2013). And it was good, as applicants this year were exceptionally strong. Our students have chosen these projects:

For the server:

  • MDEV-7773 Aggregate Stored Functions
  • student: Varun Raiko, mentors: Sanja Byelkin and Vicențiu Ciorbaru

  • MDEV-8947 Cassandra connector support for 2.x
  • student: Charles Muurmu, mentor: Sergey Petrunia
    blog: https://cassandrastorageenginev2.wordpress.com/

  • MDEV-4989 Support for GTID in mysqlbinlog
  • student: Becca Tucker, mentors: Lixun Peng and Colin Charles

  • MDEV-9711 NO PAD collations
  • student: Daniil Medvedev, mentor: Alexander Barkov

  • MDEV-9197 Pushdown conditions into non-mergeable views/derived tables
  • student: Galina Shalygina, mentors: Igor Babaev and Sergey Petrunia
    blog: http://gsocmariadbshagalla.blogspot.ru/

  • MDEV-371 Unique indexes for blobs (server-side implementation) and adaptive hashing for generated hash
  • student: Sachin Setiya, mentor: Sergei Golubchik

  • MDEV-371 Unique indexes for blobs (in MyISAM, Aria, InnoDB, and XtraDB)
  • student: Shubham Barai, mentors: Jan Lindström and Sergei Golubchik

For the MariaDB Connector/C:

For the MariaDB MaxScale:

For the Master High Availability Manager for MySQL:

Many projects have two mentors to ensure that the student always gets a quick answer to his questions and someone is always available to help even if one of the mentors is, for example, on vacations. …

The State of SSL in MariaDB

Usually when one says “SSL” or “TLS” it means not a specific protocol but a family of protocols. Wikipedia article has the details, but in short — SSL 2.0 and SSL 3.0 are deprecated and should not be used anymore (the well-known POODLE vulnerability exploits the flaw in SSL 3.0). TLS 1.0 is sixteen years old and while it’s still being used, new security standards (for example PCI DSS v3.1) require TLS 1.1 or, preferably, TLS 1.2.

MySQL used to support TLS 1.0 since 2001. Which means MariaDB supported it from the day one, and never supported weaker SSL 2.0 or SSL 3.0. …

MariaDB 10.1.1: triggers for RBR

Sometimes users ask for something that doesn’t really make sense. On the first glance. But then you start asking and realize that the user was right, you were wrong, and it is, actually, a perfectly logical and valid use case.

I’ve had one of these moments when I’ve heard about a request of making triggers to work on the slave in the row-based replication. Like, really? In RBR all changes made by triggers are replicated from the master to slaves as row events. If triggers would be fired on the slave they would do their changes twice. And anyway, assuming that one only has triggers one the slave (why?) in statement-based replication triggers would run on the slave normally, wouldn’t they? …