April 2020 Oracle CPU: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL It says versions through 8.0.19 are affected, and 8.0.19 appears to be the current version upstream, so I'm not sure when they actually plan on fixing this and issuing a update. The other two connector-java CVEs don't affect 8.0.16, which we have packaged. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Changed a couple of header fields, hopefully correctly. Assigning to DavidG as being the active committer for this.
Component: Release (media or process) => SecurityAssignee: bugsquad => geiger.david68210QA Contact: (none) => security
new version is in cauldron. Fixed mga7 version is : mysql-connector-java-8.0.20-1.mga7
CC: (none) => mageiaVersion: Cauldron => 7Assignee: geiger.david68210 => qa-bugsWhiteboard: MGA7TOO => (none)
Do we have a reference that says the issue is fixed in 8.0.20? I can't find one, and the release notes don't mention it: https://dev.mysql.com/doc/relnotes/connector-j/8.0/en/news-8-0-20.html
Keywords: (none) => feedback
Debian has issued an advisory for this on June 11: https://www.debian.org/security/2020/dsa-4703 You can check the patch for CVE-2020-2934 and make sure it is in this release.
Assignee: qa-bugs => mageiaKeywords: feedback => (none)CC: (none) => qa-bugs
Debian didn't add a patch, 5.1.49 fixed it upstream. We should be OK.
CC: qa-bugs, sysadmin-bugs => (none)Assignee: mageia => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues Ref bug 20731 for testing, downloaded test file from bug 16070. Made sure mysqld is running, then: $ javac -cp /usr/share/java/mysql-connector-java.jar:. -source 7 -target 7 Mariadb_Connect.java warning: [options] bootstrap class path not set in conjunction with -source 1.7 Mariadb_Connect.java:7: error: cannot find symbol import com.mysql.jdbc.Connection; ^ symbol: class Connection location: package com.mysql.jdbc Error repeats another 5 times. Have been hunting in vain where this com.mysql.jdbc might come from, but noresult so far.
CC: (none) => herman.viaene
We have Java 8 now, not 7, so you shouldn't force 7 in your test command.
Fedora has issued an advisory for this today (September 3): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4QDR2WOUETBT76WAO5NNCCXSAM3AGG3D/
Advisory: ======================== Updated mysql-connector-java package fixes security vulnerability: A flaw was found in the mysql-connector-java package. A complicated attack against the mysql Connector/J allows attackers on the local network to interfere with a user's connection and insert unauthorized SQL commands (CVE-2020-2934). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2934 https://dev.mysql.com/doc/relnotes/connector-j/8.0/en/news-8-0-20.html https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4QDR2WOUETBT76WAO5NNCCXSAM3AGG3D/ ======================== Updated packages in core/updates_testing: ======================== mysql-connector-java-8.0.20-1.mga7 from mysql-connector-java-8.0.20-1.mga7.src.rpm
Hmmmm, took Davids advice as far as I understand it, so: $ javac -cp /usr/share/java/mysql-connector-java.jar Mariadb_Connect.java Mariadb_Connect.java:7: error: cannot find symbol import com.mysql.jdbc.Connection; ^ symbol: class Connection location: package com.mysql.jdbc Mariadb_Connect.java:41: error: cannot find symbol private static void create_tables(Connection lvcon) { ^ symbol: class Connection location: class Mariadb_Connect
I think it's supposed to come from this package. Maybe the package or class name changed. What directory structure do you see if you run unzip -l on the jar file?
$ unzip -l /usr/share/java/mysql-connector-java.jar > mysqlconnjava.txt File uploaded here, too long to copy here
Created attachment 11884 [details] Contents of mysql-connector jar
Yeah, the API changed since your test case was written. Now all that's in package com.mysql.jdbc is Driver, SocketFactory, and SocketFactoryWrapper. Everything else is in com.mysql.cj, but there's no Connection class. We'll need to find an update example snippet. Or just approve on good install if we can't find one, as the API change would have been from Mageia 6 to 7, it isn't changing in this update.
I'll treat this then as we do with other "developers stuff", OK on clean install.
Whiteboard: (none) => MGA7-64-OK
Validating update, Advisory and packages Comment 9.
CC: (none) => ouaurelien, sysadmin-bugsKeywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0369.html
Status: NEW => RESOLVEDResolution: (none) => FIXED