Bug 31430

Summary: mysql-connector-c++ new security issue CVE-2022-24407
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, herman.viaene, jani.valimaa, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: mysql-connector-c++-8.0.28-3.mga9.src.rpm CVE:
Status comment:
Bug Depends on: 30906    
Bug Blocks:    

Description David Walser 2023-01-18 19:56:54 CET 
Oracle CPU for January 2023 lists MySQL connector CVEs:
https://www.oracle.com/security-alerts/cpujan2023.html#AppendixMSQL

We already fixed this in cyrus-sasl (Bug 30085), but if this package is bundling that code, we should link it to the system cyrus-sasl instead.
Comment 1 David Walser 2023-01-18 19:57:31 CET 
Mageia 8 is also affected.

Whiteboard: (none) => MGA8TOO
CC: (none) => jani.valimaa

Comment 2 David GEIGER 2023-01-23 20:37:09 CET 
Done for both mga8 and Cauldron with  mysql-connector-c++-8.0.32-1.mga8 and  mysql-connector-c++-8.0.32-3.mga9!

CC: (none) => geiger.david68210

Comment 3 David Walser 2023-01-23 21:34:35 CET 
So David told me on IRC that it doesn't appear to bundle cyrus-sasl code but it *does* bundle protobuf, which we've built it against system protobuf, which is still affected by multiple security issues.  So, we'll need to address that too.

libmysqlcppconn8_2-8.0.32-1.mga8
libmysqlcppconn9-8.0.32-1.mga8
libmysqlcppconn8-devel-8.0.32-1.mga8

from mysql-connector-c++-8.0.32-1.mga8

Depends on: (none) => 30906
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 4 David Walser 2023-03-16 00:29:53 CET 
Now that protobuf has been addressed, assigning this to QA.

Package list in Comment 3.

Assignee: mageia => qa-bugs

Comment 5 Herman Viaene 2023-03-16 11:36:12 CET 
Mageia 8-64 MATE on Acer Aspire 5253.
No installation isues.
No previous updates.
Citing MCC "MySQL Connector/C++ is a MySQL database connector for C++ development. "
So as with others developer's area, OK on clean install.
Beside:
# urpmq --whatrequires lib64mysqlcppconn8_2
lib64mysqlcppconn8-devel
lib64mysqlcppconn8_2
# urpmq --whatrequires lib64mysqlcppconn9
lib64mysqlcppconn8-devel
lib64mysqlcppconn9

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 6 Thomas Andrews 2023-03-16 15:02:31 CET 
A clean install was all that was needed in Bug 29923, so it should be OK here, too.

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-03-17 23:38:55 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2023-03-18 23:18:15 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0095.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED