Bug 26522 - mysql-connector-java new security issue CVE-2020-2934
Summary: mysql-connector-java new security issue CVE-2020-2934
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2020-04-21 22:08 CEST by David Walser
Modified: 2020-09-21 21:47 CEST (History)
4 users (show)

See Also:
Source RPM: mysql-connector-java-8.0.16-3.mga8.src.rpm
Status comment:

Contents of mysql-connector jar (82.68 KB, text/plain)
2020-09-15 20:32 CEST, Herman Viaene

Description David Walser 2020-04-21 22:08:00 CEST
April 2020 Oracle CPU:

It says versions through 8.0.19 are affected, and 8.0.19 appears to be the current version upstream, so I'm not sure when they actually plan on fixing this and issuing a update.

The other two connector-java CVEs don't affect 8.0.16, which we have packaged.

Mageia 7 is also affected.
David Walser 2020-04-21 22:08:08 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-04-22 20:36:49 CEST
Changed a couple of header fields, hopefully correctly.

Assigning to DavidG as being the active committer for this.

Component: Release (media or process) => Security
Assignee: bugsquad => geiger.david68210
QA Contact: (none) => security

Comment 2 Nicolas Lécureuil 2020-05-31 14:47:15 CEST
new version is in cauldron.

Fixed mga7 version is  : mysql-connector-java-8.0.20-1.mga7

CC: (none) => mageia
Version: Cauldron => 7
Assignee: geiger.david68210 => qa-bugs
Whiteboard: MGA7TOO => (none)

Comment 3 David Walser 2020-05-31 18:46:01 CEST
Do we have a reference that says the issue is fixed in 8.0.20?  I can't find one, and the release notes don't mention it:

Keywords: (none) => feedback

Comment 4 David Walser 2020-06-12 22:08:01 CEST
Debian has issued an advisory for this on June 11:

You can check the patch for CVE-2020-2934 and make sure it is in this release.
David Walser 2020-06-21 14:49:41 CEST

Assignee: qa-bugs => mageia
Keywords: feedback => (none)
CC: (none) => qa-bugs

Comment 5 David Walser 2020-08-31 01:02:29 CEST
Debian didn't add a patch, 5.1.49 fixed it upstream.  We should be OK.

CC: qa-bugs, sysadmin-bugs => (none)
Assignee: mageia => qa-bugs

Comment 6 Herman Viaene 2020-08-31 11:19:09 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues
Ref bug 20731 for testing, downloaded test file from bug 16070.
Made sure mysqld is running, then:
$ javac -cp /usr/share/java/mysql-connector-java.jar:. -source 7 -target 7 Mariadb_Connect.java
warning: [options] bootstrap class path not set in conjunction with -source 1.7
Mariadb_Connect.java:7: error: cannot find symbol
import com.mysql.jdbc.Connection;
  symbol:   class Connection
  location: package com.mysql.jdbc

Error repeats another 5 times. Have been hunting in vain where this com.mysql.jdbc might come from, but noresult so far.

CC: (none) => herman.viaene

Comment 7 David Walser 2020-08-31 14:02:08 CEST
We have Java 8 now, not 7, so you shouldn't force 7 in your test command.
Comment 8 David Walser 2020-09-03 23:29:27 CEST
Fedora has issued an advisory for this today (September 3):
Comment 9 David Walser 2020-09-07 19:44:31 CEST

Updated mysql-connector-java package fixes security vulnerability:

A flaw was found in the mysql-connector-java package. A complicated attack
against the mysql Connector/J allows attackers on the local network to
interfere with a user's connection and insert unauthorized SQL commands


Updated packages in core/updates_testing:

from mysql-connector-java-8.0.20-1.mga7.src.rpm
Comment 10 Herman Viaene 2020-09-14 14:29:04 CEST
Hmmmm, took Davids advice as far as I understand it, so:
$ javac -cp /usr/share/java/mysql-connector-java.jar  Mariadb_Connect.java  
Mariadb_Connect.java:7: error: cannot find symbol
import com.mysql.jdbc.Connection;
  symbol:   class Connection
  location: package com.mysql.jdbc
Mariadb_Connect.java:41: error: cannot find symbol
        private static void create_tables(Connection lvcon) {
  symbol:   class Connection
  location: class Mariadb_Connect
Comment 11 David Walser 2020-09-14 17:29:58 CEST
I think it's supposed to come from this package.  Maybe the package or class name changed.  What directory structure do you see if you run unzip -l on the jar file?
Comment 12 Herman Viaene 2020-09-15 20:31:24 CEST
$ unzip -l /usr/share/java/mysql-connector-java.jar > mysqlconnjava.txt

File uploaded here, too long to copy here
Comment 13 Herman Viaene 2020-09-15 20:32:35 CEST
Created attachment 11884 [details]
Contents of mysql-connector jar
Comment 14 David Walser 2020-09-15 22:00:53 CEST
Yeah, the API changed since your test case was written.  Now all that's in package com.mysql.jdbc is Driver, SocketFactory, and SocketFactoryWrapper.  Everything else is in com.mysql.cj, but there's no Connection class.  We'll need to find an update example snippet.  Or just approve on good install if we can't find one, as the API change would have been from Mageia 6 to 7, it isn't changing in this update.
Comment 15 Herman Viaene 2020-09-18 14:48:57 CEST
I'll treat this then as we do with other "developers stuff", OK on clean install.

Whiteboard: (none) => MGA7-64-OK

Comment 16 Aurelien Oudelet 2020-09-18 18:15:32 CEST
Validating update, Advisory and packages Comment 9.

CC: (none) => ouaurelien, sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 17 Mageia Robot 2020-09-21 21:47:05 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.