Bug 20732 - mysql-connector-python new security issue CVE-2017-3590
Summary: mysql-connector-python new security issue CVE-2017-3590
Status: RESOLVED WONTFIX
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: All Packagers
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-23 19:03 CEST by David Walser
Modified: 2017-07-27 14:13 CEST (History)
3 users (show)

See Also:
Source RPM: mysql-connector-python-2.1.3-1.mga6.src.rpm
CVE: CVE-2017-3590
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-04-23 19:03:33 CEST 
The April 2017 Oracle CPU includes security issues in MySQL Connector Python:
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixMSQL

The issue is fixed in 2.1.6.

Mageia 5 may also be affected.
David Walser 2017-04-23 19:03:39 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-04-24 10:15:14 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Nicolas Lécureuil 2017-04-24 12:02:28 CEST

CC: (none) => mageia
CVE: (none) => CVE-2017-3590
Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5

Comment 2 Mike Rambo 2017-07-27 14:13:31 CEST 
Neoclust fixed this for 6/cauldron back in April and forgot to update the bug. Given that Oracle says this is a low risk, local only exploit, and mageia 5 will be EOL in around 90 days, I'd say the risk of breakage due to the large jump from 1.0.7 to 2.1.6 might not be warranted for 5. As the bug is set explicitly for 5 I'm going to close this WONTFIX. If anyone thinks otherwise they are welcome to reopen and fix as desired.

Status: NEW => RESOLVED
CC: (none) => mrambo
Resolution: (none) => WONTFIX
Note You need to log in before you can comment on or make changes to this bug.