| Summary: | mysql-connector-java new security issue CVE-2015-2575 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | brtians1, davidwhodgins, geiger.david68210, herman.viaene, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/646898/ | ||
| Whiteboard: | MGA4-64-OK advisory | ||
| Source RPM: | mysql-connector-java-5.1.26-4.mga5.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | java code written to test | ||
|
Description
David Walser
2015-06-01 23:53:55 CEST
David Walser
2015-06-01 23:54:05 CEST
CC:
(none) =>
geiger.david68210 Update to 5.1.35 and sync with OpenSuSE committed in Mageia 4 and Cauldron SVN. Freeze push requested. Updated packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated mysql-connector-java package fixes security vulnerability: Difficult to exploit vulnerability allows successful authenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some MySQL Connectors accessible data as well as read access to a subset of MySQL Connectors accessible data (CVE-2015-2575). The mysql-connector-java package has been updated to version 5.1.35 to fix this issue and several other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2575 http://dev.mysql.com/doc/relnotes/connector-j/en/news-5-1.html http://lists.opensuse.org/opensuse-updates/2015-05/msg00089.html ======================== Updated packages in core/updates_testing: ======================== mysql-connector-java-5.1.35-1.mga4 from mysql-connector-java-5.1.35-1.mga4.src.rpm Version:
Cauldron =>
4 MGA4-32 on AcerD620 Xfce No installation issues, but I have no idea how to make sure this does not break anything. CC:
(none) =>
herman.viaene According to the SuSE bug, this can be tested by using LibreOffice Base to connect to a MariaDB database. Brian testing - MGA5 x86_64(will test in MGA4 shortly) Wrote java program to test basic connectivity and transactions. Working as designed. Will re-run on VM in MGA4. CC:
(none) =>
brtians1 MGA 4 x86_64 Was able to run connector successfully through java program. I did not test the bug itself, but that the connector works correctly with the version of java running in MGA4 (java version "1.7.0_79") Whiteboard:
(none) =>
MGA4 x86_64 OK Can you post the test program that you used? Also, the whiteboard entry should read MGA4-64-OK. Whiteboard:
MGA4 x86_64 OK =>
MGA4-64-OK Created attachment 6809 [details]
java code written to test
(In reply to Brian Rockwell from comment #8) > Created attachment 6809 [details] > java code written to test command line: java -cp .:/usr/share/java/mysql-connector-java.jar Mariadb_Connect note to make this work, after installing the mysql-connect drive you need to also edit the following /etc/my.cnf comment out the line skip-networking with a #. This allows the driver to communicate via tcp. Compilation of the java code: java -cp /usr/share/java/mysql-connector-java.jar:. Mariadb_Connect Note: I deliberately removed the code from a package to make it easy to command line compile and run. Hope this makes sense, Brian from MGA5 - it uses java 1.8 javac -cp /usr/share/java/mysql-connector-java.jar:. -source 7 -target 7 Mariadb_Connect.java Advisory committed to svn. Someone from the sysadmin team please push 16070.adv to updates. Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0255.html Status:
NEW =>
RESOLVED |