29567 – mysql-connector-java new security issues CVE-2021-2471, CVE-2022-21363, CVE-2023-21971

Bug 29567 - mysql-connector-java new security issues CVE-2021-2471, CVE-2022-21363, CVE-2023-21971

Summary: mysql-connector-java new security issues CVE-2021-2471, CVE-2022-21363, CVE-2...

Status:	RESOLVED OLD

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	Nicolas Lécureuil
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2021-10-20 01:50 CEST by David Walser
Modified:	2024-01-12 09:30 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	mysql-connector-java-8.0.32-1.mga9.src.rpm
CVE:
Status comment:	Fixed upstream in 8.0.33

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-10-20 01:50:46 CEST

October 2021 Oracle CPU:
https://www.oracle.com/security-alerts/cpuoct2021.html#AppendixMSQL

The issue is fixed upstream in 8.0.27.

Mageia 8 is also affected.

David Walser 2021-10-20 01:50:58 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 8.0.27

Comment 1 Nicolas Lécureuil 2021-10-26 18:21:15 CEST

Fixed in cauldron.

Fixed in mga8:

src:
    mysql-connector-java-8.0.27-1.mga8
rpms:
    mysql-connector-java-8.0.27-1.mga8.noarch

Status comment: Fixed upstream in 8.0.27 => (none)
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
CC: (none) => mageia
Assignee: java => qa-bugs

Nicolas Lécureuil 2021-10-26 18:23:02 CEST

Assignee: qa-bugs => mageia

David Walser 2021-10-26 22:19:34 CEST

Status comment: (none) => Fixed upstream in 8.0.27

Comment 2 David Walser 2022-01-21 20:26:50 CET

January 2022 Oracle CPU:
https://www.oracle.com/security-alerts/cpujan2022.html#AppendixMSQL

The issue is fixed upstream in 8.0.28.

Mageia 8 is also affected.

Status comment: Fixed upstream in 8.0.27 => Fixed upstream in 8.0.28
Source RPM: mysql-connector-java-8.0.23-1.mga9.src.rpm => mysql-connector-java-8.0.27-1.mga9.src.rpm
Whiteboard: (none) => MGA8TOO
Version: 8 => Cauldron
Summary: mysql-connector-java new security issue CVE-2021-2471 => mysql-connector-java new security issues CVE-2021-2471 and CVE-2022-21363

Comment 3 David Walser 2022-03-02 20:40:58 CET

openSUSE has issued an advisory for the first issue today (March 2):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FPABDE53LLJDPCFTIOU2DXOPZRS7JPVT/

Comment 4 David Walser 2023-01-25 22:24:36 CET

mysql-connector-java-8.0.32-1.mga9 uploaded by David Geiger for Cauldron.

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
CC: (none) => geiger.david68210

Comment 5 David Walser 2023-04-19 14:38:17 CEST

April 2023 Oracle CPU:
https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixMSQL

The issue is fixed upstream in 8.0.33.

Mageia 8 is also affected.

Summary: mysql-connector-java new security issues CVE-2021-2471 and CVE-2022-21363 => mysql-connector-java new security issues CVE-2021-2471, CVE-2022-21363, CVE-2023-21971
Version: 8 => Cauldron
Source RPM: mysql-connector-java-8.0.27-1.mga9.src.rpm => mysql-connector-java-8.0.32-1.mga9.src.rpm
Status comment: Fixed upstream in 8.0.28 => Fixed upstream in 8.0.33
Whiteboard: (none) => MGA8TOO

Comment 6 David GEIGER 2023-04-19 21:01:29 CEST

Done for Cauldron, freeze_move requested!

Comment 7 David Walser 2023-05-19 20:30:44 CEST

Freeze move done for Cauldron.

SUSE has issued an advisory for the latest issue on May 18:
https://lists.suse.com/pipermail/sle-security-updates/2023-May/014924.html

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 8 Nicolas Salguero 2024-01-12 09:30:51 CET

Mageia 8 EOL

Status: NEW => RESOLVED
Resolution: (none) => OLD
CC: (none) => nicolas.salguero

Note You need to log in before you can comment on or make changes to this bug.