Bug 31432

Summary: mysql-connector-python new security issue CVE-2022-1941
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Python Stack Maintainers <python>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: yvesbrungard
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://bugs.mageia.org/show_bug.cgi?id=31431
https://bugs.mageia.org/show_bug.cgi?id=30906
Whiteboard: MGA8TOO
Source RPM: mysql-connector-python-8.0.21-4.mga9.src.rpm CVE:
Status comment:

Description David Walser 2023-01-18 19:58:28 CET 
Oracle CPU for January 2023 lists MySQL connector CVEs:
https://www.oracle.com/security-alerts/cpujan2023.html#AppendixMSQL

This issue is actually in protobuf, which we haven't addressed (Bug 30906).

If this package bundles protobuf, we should link it to the system one.

Mageia 8 is also affected.
David Walser 2023-01-18 19:58:34 CET

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-01-18 21:34:34 CET 
Assigning to python stack maintainers, but this bug is a clone of bug 31431.
See also bug 30906.

Assignee: bugsquad => python
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=31431, https://bugs.mageia.org/show_bug.cgi?id=30906

Comment 2 David Walser 2023-01-19 01:36:20 CET 
It's not a clone.  Different CVE, different package.
Comment 3 papoteur 2023-05-13 16:25:48 CEST 
This package is noarch. It requires python3-protobuf which is provided by protobuf source.
CVE-2022-1941 report cites python-protobuf as being affected but not mysql-connector-python
Thus I don't think that this package is affected.

CC: (none) => yves.brungard_mageia

Comment 4 David Walser 2023-05-14 01:41:23 CEST 
I'll buy that.

Resolution: (none) => INVALID
Status: NEW => RESOLVED