Re: Security update of mysql-connector-java

To: "team@security.debian.org" <team@security.debian.org>, debian-java@lists.debian.org
Subject: Re: Security update of mysql-connector-java
From: Markus Koschany <apo@debian.org>
Date: Wed, 22 Jun 2016 18:19:08 +0200
Message-id: <[🔎] 606042e0-7292-1b0f-5663-514d5126e5ce@debian.org>
In-reply-to: <[🔎] 20160622064758.GA28746@pisco.westfalen.local>
References: <[🔎] 456093d3-51db-9bc2-b95c-7e90162a2717@debian.org> <[🔎] 20160620173838.GB27764@inutil.org> <[🔎] c6d49674-2974-dcee-dd52-aa7adc683db3@debian.org> <[🔎] 61c84630-95f3-29dc-1473-ecd2da9ea868@debian.org> <[🔎] b7fce1c6-3a2d-249a-f215-8817c2a6b9f2@apache.org> <[🔎] 804fbc44-ed7d-179b-2091-618c49bf0f9a@debian.org> <[🔎] 20160622064758.GA28746@pisco.westfalen.local>

On 22.06.2016 08:47, Moritz Mühlenhoff wrote:
> On Wed, Jun 22, 2016 at 01:01:14AM +0200, Markus Koschany wrote:
>> On 22.06.2016 00:43, Emmanuel Bourg wrote:
>>> Le 22/06/2016 à 00:28, Markus Koschany a écrit :
>>>
>>>> Houston, we have a problem. It seems the latest upstream release
>>>> requires Java 8 for building JDBC 4. In Jessie even Java 6 was
>>>> sufficient. I suggest we ship version 5.1.34 of mysql-connector-java
>>>> instead, which should build fine with Java 6/7 and also fix the security
>>>> vulnerability. If there is a better way, please let me know.
>>>
>>> We could also ignore the JDBC 4.2 classes and build with Java 7. If I'm
>>> not mistaken it's just a matter of removing this build step:
>>>
>>> https://sources.debian.net/src/mysql-connector-java/5.1.39-1/build.xml/#L903
>>>
>>> Emmanuel Bourg
>>
>> That might be a solution. Perhaps we should also disable the testsuite
>> in
>> https://sources.debian.net/src/mysql-connector-java/5.1.39-1/build.xml/#L962
>>
>> I am not sure if this would prevent all possible runtime errors though.
>> This would require more testing. In any case we have two options:
>> Patching 5.1.39 and make it compatible for Jessie /Wheezy or use 5.1.34
>> directly.
> 
> I'd prefer to make 5.1.39 compatible, there might an additional mysql-connector-java
> security issue in the future, for which 5.1.34 will be insufficient and then we
> already have the java 7 compat sorted out.

Yup, but new vulnerabilities could well have been introduced after
5.1.34, thus we will never really know in advance, what approach had
saved us more time.

I have pushed my update for Jessie, 5.1.39-1~deb8u1, to

https://anonscm.debian.org/cgit/pkg-java/mysql-connector-java.git/log/?h=jessie-security

The debdiff is huge so I didn't bother to attach it to this e-mail.

I have rebuilt all reverse build-dependencies successfully. I have also
used the library to connect to a local mysql database. I couldn't spot
obvious regressions but I would appreciate it if more people tested the
new version.

Regards,

Markus

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- Security update of mysql-connector-java
  - From: Markus Koschany <apo@debian.org>
- Re: Security update of mysql-connector-java
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: Security update of mysql-connector-java
  - From: Markus Koschany <apo@debian.org>
- Re: Security update of mysql-connector-java
  - From: Markus Koschany <apo@debian.org>
- Re: Security update of mysql-connector-java
  - From: Emmanuel Bourg <ebourg@apache.org>
- Re: Security update of mysql-connector-java
  - From: Markus Koschany <apo@debian.org>
- Re: Security update of mysql-connector-java
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: Bug#827904: RM: libclirr-maven-plugin-java -- ROM; No longer used
Next by Date: Bug#827996: RM: jenkins-commons-jexl -- ROM; No longer used
Previous by thread: Re: Security update of mysql-connector-java
Next by thread: Bug#827775: RM: stapler -- ROM; No longer used
Index(es):
- Date
- Thread