Bug 16070 - mysql-connector-java new security issue CVE-2015-2575
Summary: mysql-connector-java new security issue CVE-2015-2575
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/646898/
Whiteboard: MGA4-64-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-06-01 23:53 CEST by David Walser
Modified: 2015-07-05 19:23 CEST (History)
5 users (show)

See Also:
Source RPM: mysql-connector-java-5.1.26-4.mga5.src.rpm
CVE:
Status comment:


Attachments
java code written to test (3.26 KB, text/x-java)
2015-07-04 01:41 CEST, Brian Rockwell
Details

Description David Walser 2015-06-01 23:53:55 CEST
OpenSuSE has issued an advisory on May 29:
http://lists.opensuse.org/opensuse-updates/2015-05/msg00089.html

The issue is fixed upstream in 5.1.35.

Mageia 4 and Mageia 5 are affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-06-01 23:54:05 CEST

CC: (none) => geiger.david68210
Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-06-14 17:23:29 CEST
Update to 5.1.35 and sync with OpenSuSE committed in Mageia 4 and Cauldron SVN.

Freeze push requested.
Comment 2 David Walser 2015-06-15 23:23:43 CEST
Updated packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated mysql-connector-java package fixes security vulnerability:

Difficult to exploit vulnerability allows successful authenticated network
attacks via multiple protocols. Successful attack of this vulnerability can
result in unauthorized update, insert or delete access to some MySQL
Connectors accessible data as well as read access to a subset of MySQL
Connectors accessible data (CVE-2015-2575).

The mysql-connector-java package has been updated to version 5.1.35 to fix
this issue and several other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2575
http://dev.mysql.com/doc/relnotes/connector-j/en/news-5-1.html
http://lists.opensuse.org/opensuse-updates/2015-05/msg00089.html
========================

Updated packages in core/updates_testing:
========================
mysql-connector-java-5.1.35-1.mga4

from mysql-connector-java-5.1.35-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: dmorganec => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 3 Herman Viaene 2015-06-23 15:11:35 CEST
MGA4-32 on AcerD620 Xfce
No installation issues, but I have no idea how to make sure this does not break anything.

CC: (none) => herman.viaene

Comment 4 David Walser 2015-06-23 16:33:02 CEST
According to the SuSE bug, this can be tested by using LibreOffice Base to connect to a MariaDB database.
Comment 5 Brian Rockwell 2015-07-03 17:07:52 CEST
Brian testing - MGA5 x86_64(will test in MGA4 shortly)

Wrote java program to test basic connectivity and transactions.  Working as designed.  

Will re-run on VM in MGA4.

CC: (none) => brtians1

Comment 6 Brian Rockwell 2015-07-03 23:47:26 CEST
MGA 4 x86_64

Was able to run connector successfully through java program.  I did not test the bug itself, but that the connector works correctly with the version of java running in MGA4 (java version "1.7.0_79")

Whiteboard: (none) => MGA4 x86_64 OK

Comment 7 David Walser 2015-07-03 23:49:02 CEST
Can you post the test program that you used?  Also, the whiteboard entry should read MGA4-64-OK.

Whiteboard: MGA4 x86_64 OK => MGA4-64-OK

Comment 8 Brian Rockwell 2015-07-04 01:41:37 CEST
Created attachment 6809 [details]
java code written to test
Comment 9 Brian Rockwell 2015-07-04 01:45:13 CEST
(In reply to Brian Rockwell from comment #8)
> Created attachment 6809 [details]
> java code written to test

command line:
java -cp .:/usr/share/java/mysql-connector-java.jar Mariadb_Connect


note to make this work, after installing the mysql-connect drive you need to also edit the following

/etc/my.cnf

comment out the line skip-networking with a #.

This allows the driver to communicate via tcp.

Compilation of the java code:
java -cp /usr/share/java/mysql-connector-java.jar:. Mariadb_Connect

Note:  I deliberately removed the code from a package to make it easy to command line compile and run.

Hope this makes sense,
Brian
Comment 10 Brian Rockwell 2015-07-04 01:47:34 CEST
from MGA5 - it uses java 1.8

javac -cp /usr/share/java/mysql-connector-java.jar:. -source 7 -target 7 Mariadb_Connect.java
Comment 11 Dave Hodgins 2015-07-04 18:55:30 CEST
Advisory committed to svn.

Someone from the sysadmin team please push 16070.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK => MGA4-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 12 Mageia Robot 2015-07-05 19:23:13 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0255.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.