The April 2017 Oracle CPU includes security issues in MySQL Connector Java: http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixMSQL Versions 5.1.41 and earlier are affected, and that appears to be the current version, so I'm not sure if all of these issues have been fixed yet. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assinging to registered maintainer
Assignee: bugsquad => mageiaCC: (none) => geiger.david68210, marja11
Debian has issued an advisory for CVE-2017-3523 on May 2: https://www.debian.org/security/2017/dsa-3840
Package : mysql-connector-java CVE ID : CVE-2017-3586 CVE-2017-3589 Two vulnerabilities have been found in the MySQL Connector/J JDBC driver. For the stable distribution (jessie), these problems have been fixed in version 5.1.42-1~deb8u1. For the upcoming stable distribution (stretch), these problems have been fixed in version 5.1.42-1. For the unstable distribution (sid), these problems have been fixed in version 5.1.42-1. We recommend that you upgrade your mysql-connector-java packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found
CC: (none) => zombie_ryushu
(In reply to David Walser from comment #2) > Debian has issued an advisory for CVE-2017-3523 on May 2: > https://www.debian.org/security/2017/dsa-3840 Debian advisory for the other two CVEs from May 18: https://www.debian.org/security/2017/dsa-3857
It looks like upgrading to 5.1.42 would fix all of these.
Status comment: (none) => Fixed upstream in 5.1.42
Tried a local build of 5.1.42 but it fails: -compile-driver-jdbc4: [echo] Compiling MySQL Connector/J JDBC 4+ implementation with '/usr/lib/jvm/java' to 'build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT' [javac] Compiling 41 source files to /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT [javac] warning: [options] bootstrap class path not set in conjunction with -source 1.6 [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/com/mysql/fabric/hibernate/FabricMultiTenantConnectionProvider.java:30: error: package org.hibernate.engine.jdbc.connections.spi does not exist [javac] import org.hibernate.engine.jdbc.connections.spi.MultiTenantConnectionProvider; [javac] ^ [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/com/mysql/fabric/hibernate/FabricMultiTenantConnectionProvider.java:44: error: cannot find symbol [javac] public class FabricMultiTenantConnectionProvider implements MultiTenantConnectionProvider { [javac] ^ [javac] symbol: class MultiTenantConnectionProvider [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:30: error: package org.hibernate does not exist [javac] import org.hibernate.Session; [javac] ^ [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:31: error: package org.hibernate does not exist [javac] import org.hibernate.SessionFactory; [javac] ^ [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:32: error: package org.hibernate.cfg does not exist [javac] import org.hibernate.cfg.Configuration; [javac] ^ [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:33: error: package org.hibernate.boot.registry does not exist [javac] import org.hibernate.boot.registry.StandardServiceRegistryBuilder; [javac] ^ [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:105: error: cannot find symbol [javac] public static SessionFactory createSessionFactory(String fabricUrl, String username, String password, String fabricUser, String fabricPassword) [javac] ^ [javac] symbol: class SessionFactory [javac] location: class HibernateFabric [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/com/mysql/fabric/jdbc/FabricMySQLConnectionProxy.java:87: error: FabricMySQLConnectionProxy is not abstract and does not override abstract method createStruct(String,Object[]) in Connection [javac] public class FabricMySQLConnectionProxy extends ConnectionPropertiesImpl implements FabricMySQLConnection, FabricMySQLConnectionProperties { [javac] ^ [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:71: error: cannot find symbol [javac] SessionFactory sf = createSessionFactory("http://" + hostname + ":" + port, user, password, fabricUsername, fabricPassword); [javac] ^ [javac] symbol: class SessionFactory [javac] location: class HibernateFabric [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:81: error: cannot find symbol [javac] Session session = sf.withOptions().tenantIdentifier("" + j) // choose a db server [javac] ^ [javac] symbol: class Session [javac] location: class HibernateFabric [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:110: error: cannot find symbol [javac] StandardServiceRegistryBuilder srb = new StandardServiceRegistryBuilder(); [javac] ^ [javac] symbol: class StandardServiceRegistryBuilder [javac] location: class HibernateFabric [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:110: error: cannot find symbol [javac] StandardServiceRegistryBuilder srb = new StandardServiceRegistryBuilder(); [javac] ^ [javac] symbol: class StandardServiceRegistryBuilder [javac] location: class HibernateFabric [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:111: error: package org.hibernate.engine.jdbc.connections.spi does not exist [javac] srb.addService(org.hibernate.engine.jdbc.connections.spi.MultiTenantConnectionProvider.class, connProvider); [javac] ^ [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:114: error: cannot find symbol [javac] Configuration config = new Configuration(); [javac] ^ [javac] symbol: class Configuration [javac] location: class HibernateFabric [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:114: error: cannot find symbol [javac] Configuration config = new Configuration(); [javac] ^ [javac] symbol: class Configuration [javac] location: class HibernateFabric [javac] 15 errors [javac] 1 warning Missing dep, but is it just a missing BR or should we import a new hibernate-something package?
Source RPM: mysql-connector-java-5.1.35-2.mga6.src.rpm => mysql-connector-java-5.1.41-1.mga6Status comment: Fixed upstream in 5.1.42 => Fixed upstream in 5.1.42, sadly doesn't build out of the box
Whiteboard: MGA5TOO => MGA6TOO, MGA5TOO
So! fixed for mga5, mga6 and also Cauldron \o/
Thanks David! Advisory: ======================== Updated mysql-connector-java package fixes security vulnerabilities: Thijs Alkemade discovered that unexpected automatic deserialisation of Java objects in the MySQL Connector/J JDBC driver may result in the execution of arbitary code (CVE-2017-3523). Two vulnerabilities have been found in the MySQL Connector/J JDBC driver (CVE-2017-3586, CVE-2017-3589). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3523 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3586 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3589 https://www.computest.nl/advisories/CT-2017-0425_MySQL-Connector-J.txt http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixMSQL https://www.debian.org/security/2017/dsa-3840 https://www.debian.org/security/2017/dsa-3857 ======================== Updated packages in core/updates_testing: ======================== mysql-connector-java-5.1.42-1.mga5 mysql-connector-java-5.1.42-1.mga6 from SRPMS: mysql-connector-java-5.1.42-1.mga5.src.rpm mysql-connector-java-5.1.42-1.mga6.src.rpm
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOCC: (none) => mageiaVersion: Cauldron => 6Assignee: mageia => qa-bugs
Pointer ------ The only previous bug on this is: https://bugs.mageia.org/show_bug.cgi?id=16070 but the attchement https://bugs.mageia.org/attachment.cgi?id=6809 + related comments 8 9 10 look good for testing this update. For which thanks to Brian.
CC: (none) => lewyssmith
Can be due to my ignorance, but at CLI [tester5@mach5 Downloads]$ javac -cp /usr/share/java/mysql-connector-java.jar:. -source 7 -target 7 Mariadb_Connect.java warning: [options] bootstrap class path not set in conjunction with -source 1.7 1 warning [tester5@mach5 Downloads]$ java Mariadb_Connect java.lang.ClassNotFoundException: com.mysql.jdbc.Driver at java.net.URLClassLoader.findClass(URLClassLoader.java:381) at java.lang.ClassLoader.loadClass(ClassLoader.java:424) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:335) at java.lang.ClassLoader.loadClass(ClassLoader.java:357) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:264) at Mariadb_Connect.main(Mariadb_Connect.java:15) Exception: com.mysql.jdbc.Driver
CC: (none) => herman.viaene
Trying M5/64 Added Brian to the CC list for his help if possible. Refering to bug 16070, downloaded the attachment Mariadb_Connect.java In /etc/my.cnf, commented out 'skip-networking'. From the old bug comments 9 & 10, I tried (from the same directory): c10, new compile? $ javac -cp /usr/share/java/mysql-connector-java.jar:. -source 7 -target 7 Mariadb_Connect.java bash: javac: command not found Installed pkg 'javacc'. To get something to happen, I needed: $ javacc.sh -cp /usr/share/java/mysql-connector-java.jar:. -source 7 -target 7 Mariadb_Connect.java Java Compiler Compiler Version 5.0 (Parser Generator) (type "javacc" with no arguments for help) Warning: Bad option "-cp" will be ignored. Argument "/usr/share/java/mysql-connector-java.jar:." must be an option setting. c9, to run? $ java -cp .:/usr/share/java/mysql-connector-java.jar Mariadb_Connect Error: Could not find or load main class Mariadb_Connect c9, old compile, obsolete? $ java -cp /usr/share/java/mysql-connector-java.jar:. Mariadb_Connect Error: Could not find or load main class Mariadb_Connect Am unsure what these commands are really meant to do; and whether running them without errors suffices to drive the 'mysql-connector-java' package.
CC: (none) => brtians1
$ uname -a Linux localhost 4.4.88-desktop-1.mga5 #1 SMP Thu Sep 14 00:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux Ok - ran mysql-connector-5.1.35 and it worked in MGA5 $ javac -cp /usr/share/java/mysql-connector-java.jar:. -source 7 -target 7 Mariadb_Connect.java warning: [options] bootstrap class path not set in conjunction with -source 1.7 1 warning [brian@localhost java]$ ls -ltr total 3212 -rw------- 1 brian brian 165085 Mar 21 2009 getstartderby.pdf -rw------- 1 brian brian 1592484 Mar 21 2009 refderby.pdf -rw------- 1 brian brian 819598 Mar 21 2009 derbydev.pdf drwxrwxr-x 9 brian brian 4096 Feb 3 2010 docs/ drwxrwxr-x 5 brian brian 4096 Feb 19 2011 weather/ drwxrwxr-x 5 brian brian 4096 Feb 19 2011 FunApp1/ drwxrwxr-x 7 brian brian 4096 Oct 15 2011 Reminder/ -rw------- 1 brian brian 365162 Nov 3 2012 derbyadmin.pdf -rw------- 1 brian brian 278214 Nov 3 2012 derbytools.pdf drwxrwxr-x 8 brian brian 4096 Nov 3 2012 derby_10910/ drwxrwxr-x 4 brian brian 4096 Nov 3 2012 derbytutor/ drwxrwxr-x 11 brian brian 12288 May 29 2016 jcode/ -rw-rw-r-- 1 brian brian 937 Jun 18 20:46 helloworld.java -rw-r--r-- 1 brian brian 858 Jun 18 20:47 helloworld$1.class -rw-r--r-- 1 brian brian 1114 Jun 18 20:47 helloworld.class -rw-rw-r-- 1 brian brian 3342 Oct 19 12:59 Mariadb_Connect.java -rw-r--r-- 1 brian brian 3314 Oct 19 13:00 Mariadb_Connect.class [brian@localhost java]$ java -cp .:/usr/share/java/mysql-connector-java.jar Mariadb_Connect Successfully connected to MySQL server using TCP/IP... Database test checked Changed to test database Table books created Rows insertered into books table --------------------------------- Now listing the titles from books --------------------------------- 1 The Fellowship of the Ring 2 The Two Towers 3 The Return of the King 4 The Sum of All Men 5 Brotherhood of the Wolf 6 Wizardborn 7 The Hobbbit --------------------------------- dropped the books table Close the database connection [brian@localhost java]$ Removed 5.1.35 and re-ran $ java -cp .:/usr/share/java/mysql-connector-java.jar Mariadb_Connect java.lang.ClassNotFoundException: com.mysql.jdbc.Driver at java.net.URLClassLoader.findClass(URLClassLoader.java:381) at java.lang.ClassLoader.loadClass(ClassLoader.java:424) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:335) at java.lang.ClassLoader.loadClass(ClassLoader.java:357) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:264) at Mariadb_Connect.main(Mariadb_Connect.java:14) Exception: com.mysql.jdbc.Driver [brian@localhost java]$ Installed 5.1.42.1 $ java -cp .:/usr/share/java/mysql-connector-java.jar Mariadb_Connect Successfully connected to MySQL server using TCP/IP... Database test checked Changed to test database Table books created Rows insertered into books table --------------------------------- Now listing the titles from books --------------------------------- 1 The Fellowship of the Ring 2 The Two Towers 3 The Return of the King 4 The Sum of All Men 5 Brotherhood of the Wolf 6 Wizardborn 7 The Hobbbit --------------------------------- dropped the books table Close the database connection [brian@localhost java]$ Working as designed. Lewis - I think you were missing the javac application.
Whiteboard: MGA5TOO => MGA5TOO mga5-64-ok
mga6-64 I have to say I banged my head around on this one. Finally got it working. Don't forget to update /etc/my.cnf and comment out skip-networking with a # symbol, then restart the server. Part of the challenge is to remember to install the java-1.8.0-openjdk-devel to get the javac compiler [brian@localhost Documents]$ javac -cp /usr/share/java/mysql-connector-java.jar:. -source 7 -target 7 Mariadb_Connect.java warning: [options] bootstrap class path not set in conjunction with -source 1.7 1 warning [brian@localhost Documents]$ java -cp /usr/share/java/mysql-connector-java.jar:. Mariadb_Connect Trying to Connect to the database Successfully connected to MySQL server using TCP/IP... Database test checked Changed to test database Table books created Rows insertered into books table --------------------------------- Now listing the titles from books --------------------------------- 1 The Fellowship of the Ring 2 The Two Towers 3 The Return of the King 4 The Sum of All Men 5 Brotherhood of the Wolf 6 Wizardborn 7 The Hobbbit --------------------------------- dropped the books table Close the database connection [brian@localhost Documents]$ uname -a Linux localhost 4.9.50-desktop-1.mga6 #1 SMP Wed Sep 13 23:14:20 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux [brian@localhost Documents]$
Whiteboard: MGA5TOO mga5-64-ok => MGA5TOO mga5-64-ok mga6-64-ok
Advisoried. Validating as it has 2 expert 64-bit OKs. Many thanks to Brian for coming to the rescue.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0382.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED