Bug 20732

Summary: mysql-connector-python new security issue CVE-2017-3590
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: RESOLVED WONTFIX QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, marja11, mhrambo3501
Version: 5   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: mysql-connector-python-2.1.3-1.mga6.src.rpm CVE: CVE-2017-3590
Status comment:

Description David Walser 2017-04-23 19:03:33 CEST 
The April 2017 Oracle CPU includes security issues in MySQL Connector Python:
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixMSQL

The issue is fixed in 2.1.6.

Mageia 5 may also be affected.
David Walser 2017-04-23 19:03:39 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-04-24 10:15:14 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Nicolas Lécureuil 2017-04-24 12:02:28 CEST

CC: (none) => mageia
CVE: (none) => CVE-2017-3590
Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5

Comment 2 Mike Rambo 2017-07-27 14:13:31 CEST 
Neoclust fixed this for 6/cauldron back in April and forgot to update the bug. Given that Oracle says this is a low risk, local only exploit, and mageia 5 will be EOL in around 90 days, I'd say the risk of breakage due to the large jump from 1.0.7 to 2.1.6 might not be warranted for 5. As the bug is set explicitly for 5 I'm going to close this WONTFIX. If anyone thinks otherwise they are welcome to reopen and fix as desired.

Status: NEW => RESOLVED
CC: (none) => mrambo
Resolution: (none) => WONTFIX