OpenSuSE has issued an advisory on May 29: http://lists.opensuse.org/opensuse-updates/2015-05/msg00089.html The issue is fixed upstream in 5.1.35. Mageia 4 and Mageia 5 are affected. Reproducible: Steps to Reproduce:
CC: (none) => geiger.david68210Whiteboard: (none) => MGA5TOO, MGA4TOO
Update to 5.1.35 and sync with OpenSuSE committed in Mageia 4 and Cauldron SVN. Freeze push requested.
Updated packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated mysql-connector-java package fixes security vulnerability: Difficult to exploit vulnerability allows successful authenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some MySQL Connectors accessible data as well as read access to a subset of MySQL Connectors accessible data (CVE-2015-2575). The mysql-connector-java package has been updated to version 5.1.35 to fix this issue and several other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2575 http://dev.mysql.com/doc/relnotes/connector-j/en/news-5-1.html http://lists.opensuse.org/opensuse-updates/2015-05/msg00089.html ======================== Updated packages in core/updates_testing: ======================== mysql-connector-java-5.1.35-1.mga4 from mysql-connector-java-5.1.35-1.mga4.src.rpm
Version: Cauldron => 4Assignee: dmorganec => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
MGA4-32 on AcerD620 Xfce No installation issues, but I have no idea how to make sure this does not break anything.
CC: (none) => herman.viaene
According to the SuSE bug, this can be tested by using LibreOffice Base to connect to a MariaDB database.
Brian testing - MGA5 x86_64(will test in MGA4 shortly) Wrote java program to test basic connectivity and transactions. Working as designed. Will re-run on VM in MGA4.
CC: (none) => brtians1
MGA 4 x86_64 Was able to run connector successfully through java program. I did not test the bug itself, but that the connector works correctly with the version of java running in MGA4 (java version "1.7.0_79")
Whiteboard: (none) => MGA4 x86_64 OK
Can you post the test program that you used? Also, the whiteboard entry should read MGA4-64-OK.
Whiteboard: MGA4 x86_64 OK => MGA4-64-OK
Created attachment 6809 [details] java code written to test
(In reply to Brian Rockwell from comment #8) > Created attachment 6809 [details] > java code written to test command line: java -cp .:/usr/share/java/mysql-connector-java.jar Mariadb_Connect note to make this work, after installing the mysql-connect drive you need to also edit the following /etc/my.cnf comment out the line skip-networking with a #. This allows the driver to communicate via tcp. Compilation of the java code: java -cp /usr/share/java/mysql-connector-java.jar:. Mariadb_Connect Note: I deliberately removed the code from a package to make it easy to command line compile and run. Hope this makes sense, Brian
from MGA5 - it uses java 1.8 javac -cp /usr/share/java/mysql-connector-java.jar:. -source 7 -target 7 Mariadb_Connect.java
Advisory committed to svn. Someone from the sysadmin team please push 16070.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA4-64-OK => MGA4-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0255.html
Status: NEW => RESOLVEDResolution: (none) => FIXED