Bug 31432 - mysql-connector-python new security issue CVE-2022-1941
Summary: mysql-connector-python new security issue CVE-2022-1941
Status: RESOLVED INVALID
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Python Stack Maintainers
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO
Keywords:
Depends on:
Blocks:
 
Reported: 2023-01-18 19:58 CET by David Walser
Modified: 2023-05-14 01:41 CEST (History)
1 user (show)

See Also:
Source RPM: mysql-connector-python-8.0.21-4.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-01-18 19:58:28 CET 
Oracle CPU for January 2023 lists MySQL connector CVEs:
https://www.oracle.com/security-alerts/cpujan2023.html#AppendixMSQL

This issue is actually in protobuf, which we haven't addressed (Bug 30906).

If this package bundles protobuf, we should link it to the system one.

Mageia 8 is also affected.
David Walser 2023-01-18 19:58:34 CET

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-01-18 21:34:34 CET 
Assigning to python stack maintainers, but this bug is a clone of bug 31431.
See also bug 30906.

Assignee: bugsquad => python
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=31431, https://bugs.mageia.org/show_bug.cgi?id=30906

Comment 2 David Walser 2023-01-19 01:36:20 CET 
It's not a clone.  Different CVE, different package.
Comment 3 papoteur 2023-05-13 16:25:48 CEST 
This package is noarch. It requires python3-protobuf which is provided by protobuf source.
CVE-2022-1941 report cites python-protobuf as being affected but not mysql-connector-python
Thus I don't think that this package is affected.

CC: (none) => yves.brungard_mageia

Comment 4 David Walser 2023-05-14 01:41:23 CEST 
I'll buy that.

Resolution: (none) => INVALID
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.