| Summary: | mysql-connector-java new security issue CVE-2020-2934 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, mageia, ouaurelien, sysadmin-bugs |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | mysql-connector-java-8.0.16-3.mga8.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | Contents of mysql-connector jar | ||
|
Description
David Walser
2020-04-21 22:08:00 CEST
David Walser
2020-04-21 22:08:08 CEST
Whiteboard:
(none) =>
MGA7TOO Changed a couple of header fields, hopefully correctly. Assigning to DavidG as being the active committer for this. Component:
Release (media or process) =>
Security new version is in cauldron. Fixed mga7 version is : mysql-connector-java-8.0.20-1.mga7 CC:
(none) =>
mageia Do we have a reference that says the issue is fixed in 8.0.20? I can't find one, and the release notes don't mention it: https://dev.mysql.com/doc/relnotes/connector-j/8.0/en/news-8-0-20.html Keywords:
(none) =>
feedback Debian has issued an advisory for this on June 11: https://www.debian.org/security/2020/dsa-4703 You can check the patch for CVE-2020-2934 and make sure it is in this release.
David Walser
2020-06-21 14:49:41 CEST
Assignee:
qa-bugs =>
mageia Debian didn't add a patch, 5.1.49 fixed it upstream. We should be OK. CC:
qa-bugs, sysadmin-bugs =>
(none) MGA7-64 Plasma on Lenovo B50 No installation issues Ref bug 20731 for testing, downloaded test file from bug 16070. Made sure mysqld is running, then: $ javac -cp /usr/share/java/mysql-connector-java.jar:. -source 7 -target 7 Mariadb_Connect.java warning: [options] bootstrap class path not set in conjunction with -source 1.7 Mariadb_Connect.java:7: error: cannot find symbol import com.mysql.jdbc.Connection; ^ symbol: class Connection location: package com.mysql.jdbc Error repeats another 5 times. Have been hunting in vain where this com.mysql.jdbc might come from, but noresult so far. CC:
(none) =>
herman.viaene We have Java 8 now, not 7, so you shouldn't force 7 in your test command. Fedora has issued an advisory for this today (September 3): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4QDR2WOUETBT76WAO5NNCCXSAM3AGG3D/ Advisory: ======================== Updated mysql-connector-java package fixes security vulnerability: A flaw was found in the mysql-connector-java package. A complicated attack against the mysql Connector/J allows attackers on the local network to interfere with a user's connection and insert unauthorized SQL commands (CVE-2020-2934). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2934 https://dev.mysql.com/doc/relnotes/connector-j/8.0/en/news-8-0-20.html https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4QDR2WOUETBT76WAO5NNCCXSAM3AGG3D/ ======================== Updated packages in core/updates_testing: ======================== mysql-connector-java-8.0.20-1.mga7 from mysql-connector-java-8.0.20-1.mga7.src.rpm Hmmmm, took Davids advice as far as I understand it, so:
$ javac -cp /usr/share/java/mysql-connector-java.jar Mariadb_Connect.java
Mariadb_Connect.java:7: error: cannot find symbol
import com.mysql.jdbc.Connection;
^
symbol: class Connection
location: package com.mysql.jdbc
Mariadb_Connect.java:41: error: cannot find symbol
private static void create_tables(Connection lvcon) {
^
symbol: class Connection
location: class Mariadb_Connect
I think it's supposed to come from this package. Maybe the package or class name changed. What directory structure do you see if you run unzip -l on the jar file? $ unzip -l /usr/share/java/mysql-connector-java.jar > mysqlconnjava.txt File uploaded here, too long to copy here Created attachment 11884 [details]
Contents of mysql-connector jar
Yeah, the API changed since your test case was written. Now all that's in package com.mysql.jdbc is Driver, SocketFactory, and SocketFactoryWrapper. Everything else is in com.mysql.cj, but there's no Connection class. We'll need to find an update example snippet. Or just approve on good install if we can't find one, as the API change would have been from Mageia 6 to 7, it isn't changing in this update. I'll treat this then as we do with other "developers stuff", OK on clean install. Whiteboard:
(none) =>
MGA7-64-OK Validating update, Advisory and packages Comment 9. CC:
(none) =>
ouaurelien, sysadmin-bugs An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0369.html Status:
NEW =>
RESOLVED |