Bug 29567

Summary: mysql-connector-java new security issues CVE-2021-2471, CVE-2022-21363, CVE-2023-21971
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Nicolas Lécureuil <mageia>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: geiger.david68210, mageia, nicolas.salguero
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: mysql-connector-java-8.0.32-1.mga9.src.rpm CVE:
Status comment: Fixed upstream in 8.0.33

Description David Walser 2021-10-20 01:50:46 CEST 
October 2021 Oracle CPU:
https://www.oracle.com/security-alerts/cpuoct2021.html#AppendixMSQL

The issue is fixed upstream in 8.0.27.

Mageia 8 is also affected.
David Walser 2021-10-20 01:50:58 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 8.0.27

Comment 1 Nicolas Lécureuil 2021-10-26 18:21:15 CEST 
Fixed in cauldron.

Fixed in mga8:

src:
    mysql-connector-java-8.0.27-1.mga8
rpms:
    mysql-connector-java-8.0.27-1.mga8.noarch

Status comment: Fixed upstream in 8.0.27 => (none)
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
CC: (none) => mageia
Assignee: java => qa-bugs

Nicolas Lécureuil 2021-10-26 18:23:02 CEST

Assignee: qa-bugs => mageia

David Walser 2021-10-26 22:19:34 CEST

Status comment: (none) => Fixed upstream in 8.0.27

Comment 2 David Walser 2022-01-21 20:26:50 CET 
January 2022 Oracle CPU:
https://www.oracle.com/security-alerts/cpujan2022.html#AppendixMSQL

The issue is fixed upstream in 8.0.28.

Mageia 8 is also affected.

Status comment: Fixed upstream in 8.0.27 => Fixed upstream in 8.0.28
Source RPM: mysql-connector-java-8.0.23-1.mga9.src.rpm => mysql-connector-java-8.0.27-1.mga9.src.rpm
Whiteboard: (none) => MGA8TOO
Version: 8 => Cauldron
Summary: mysql-connector-java new security issue CVE-2021-2471 => mysql-connector-java new security issues CVE-2021-2471 and CVE-2022-21363

Comment 3 David Walser 2022-03-02 20:40:58 CET 
openSUSE has issued an advisory for the first issue today (March 2):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FPABDE53LLJDPCFTIOU2DXOPZRS7JPVT/
Comment 4 David Walser 2023-01-25 22:24:36 CET 
mysql-connector-java-8.0.32-1.mga9 uploaded by David Geiger for Cauldron.

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
CC: (none) => geiger.david68210

Comment 5 David Walser 2023-04-19 14:38:17 CEST 
April 2023 Oracle CPU:
https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixMSQL

The issue is fixed upstream in 8.0.33.

Mageia 8 is also affected.

Summary: mysql-connector-java new security issues CVE-2021-2471 and CVE-2022-21363 => mysql-connector-java new security issues CVE-2021-2471, CVE-2022-21363, CVE-2023-21971
Version: 8 => Cauldron
Source RPM: mysql-connector-java-8.0.27-1.mga9.src.rpm => mysql-connector-java-8.0.32-1.mga9.src.rpm
Status comment: Fixed upstream in 8.0.28 => Fixed upstream in 8.0.33
Whiteboard: (none) => MGA8TOO

Comment 6 David GEIGER 2023-04-19 21:01:29 CEST 
Done for Cauldron, freeze_move requested!
Comment 7 David Walser 2023-05-19 20:30:44 CEST 
Freeze move done for Cauldron.

SUSE has issued an advisory for the latest issue on May 18:
https://lists.suse.com/pipermail/sle-security-updates/2023-May/014924.html

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 8 Nicolas Salguero 2024-01-12 09:30:51 CET 
Mageia 8 EOL

Status: NEW => RESOLVED
Resolution: (none) => OLD
CC: (none) => nicolas.salguero