Bug 26402 - mysql-connector-python new security issue CVE-2019-2435
Summary: mysql-connector-python new security issue CVE-2019-2435
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-03-31 23:27 CEST by David Walser
Modified: 2020-08-25 10:14 CEST (History)
4 users (show)

See Also:
Source RPM: mysql-connector-python-2.1.7-3.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-03-31 23:27:13 CEST 
openSUSE has issued an advisory on March 30:
https://lists.opensuse.org/opensuse-updates/2020-03/msg00140.html

The issue is fixed upstream in 8.0.19.
Comment 1 David GEIGER 2020-08-21 18:00:28 CEST 
Done for mga7 updating to latest 8.0.20 release!

Also note that I had to enable the protobuf python3 bindings needed for new mysql-connector-python python3 part.
Comment 2 David Walser 2020-08-21 19:04:41 CEST 
Advisory:
========================

Updated mysql-connector-python packages fix security vulnerability:

Easily exploitable vulnerability allows unauthenticated attacker with network
access via TLS to compromise MySQL Connectors. Successful attacks require human
interaction from a person other than the attacker. Successful attacks of this
vulnerability can result in unauthorized creation, deletion or modification
access to critical data or all MySQL Connectors accessible data as well as
unauthorized access to critical data or complete access to all MySQL Connectors
accessible data (CVE-2019-2435).

Also, the protobuf package was updated to add a python3 subpackage, which was
needed for this update.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2435
http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html#CVE-2019-2435
https://lists.opensuse.org/opensuse-updates/2020-03/msg00140.html
========================

Updated packages in core/updates_testing:
========================
libprotobuf17-3.6.1-1.1.mga7
libprotobuf-lite17-3.6.1-1.1.mga7
protobuf-compiler-3.6.1-1.1.mga7
libprotoc17-3.6.1-1.1.mga7
libprotobuf-devel-3.6.1-1.1.mga7
libprotobuf-static-devel-3.6.1-1.1.mga7
python2-protobuf-3.6.1-1.1.mga7
python3-protobuf-3.6.1-1.1.mga7
protobuf-vim-3.6.1-1.1.mga7
protobuf-java-3.6.1-1.1.mga7
protobuf-java-util-3.6.1-1.1.mga7
protobuf-javadoc-3.6.1-1.1.mga7
protobuf-parent-3.6.1-1.1.mga7
python2-mysql-connector-8.0.20-1.mga7
python3-mysql-connector-8.0.20-1.mga7

from SRPMS:
protobuf-3.6.1-1.1.mga7.src.rpm
mysql-connector-python-8.0.20-1.mga7.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 3 Herman Viaene 2020-08-22 22:01:28 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
No previous updates, so googledon the subjecct and found:
"Protocol buffers are Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data"
That tastes like developers stuff, so propozing to OK on clean install????

CC: (none) => herman.viaene

Comment 4 David Walser 2020-08-22 22:03:26 CEST 
Yeah unless you have a Python program that uses mysql/mariadb via this connector, clean install/upgrade is fine.
Herman Viaene 2020-08-23 09:03:29 CEST

Whiteboard: (none) => MGA7-64-OK

Aurelien Oudelet 2020-08-23 16:08:43 CEST

Keywords: (none) => advisory
CC: (none) => ouaurelien

Comment 5 Thomas Andrews 2020-08-25 02:17:14 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Aurelien Oudelet 2020-08-25 08:29:05 CEST

CC: ouaurelien => (none)

Comment 6 Mageia Robot 2020-08-25 10:14:46 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0345.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.