mysql-connector-python

To: debian-lts@lists.debian.org, security@debian.org
Subject: mysql-connector-python
From: Brian May <brian@linuxpenguins.xyz>
Date: Fri, 12 May 2017 17:44:17 +1000
Message-id: <[🔎] 87pofett7y.fsf@prune.linuxpenguins.xyz>

CCed to security team because this affects wheezy all the way through to
sid.

I think we have limited options, I don't think trying to generate a
patch to this is worthwhile. The scarse information on the
vulnerability, or how to test it, is likely to make this very
difficult. Especially considering there are AFAIK only two reverse
dependancies of this library (mysql-workbench and mysql-utilities).

The bug description sounds nasty ("Successful attacks of this
vulnerability can result in unauthorized update, insert or delete access
to some of MySQL Connectors accessible data") but I am not sure I really
understand the scope of the attack. This is a client library, but the
description makes it sound like an attacker with a mysql login can
attack the server. Which confuses me.

In the list of bugs fixed by the upstream patch, there doesn't seem to
be any that sound like this problem:

+v2.1.6
+======
+
+- BUG#25726671: Fix compatibility issues with the latest Django versions
+- BUG#25558885: Set default connection timeout to pure connector/python
+- BUG#25397650: Verify server certificate only if ssl_verify_cert is True
+- BUG#25589496: Don't convert to unicode if non-ascii data is present
+- BUG#25383644: Add connection back to pool on exception
+- BUG#22476689: Importing world.sql fails with cext enabled
+- BUG#20736339: Expect multiple include directories from mysql_config
+- BUG#19685386: C extension tests are failing using MySQL 5.7.4

It is also possible that the issue involves lack of ssl certification
verification. Although the bug title implies it cannot be turned
off.

There is also new code that appears to check we are using
sha256_password for the auth plugin if ssl is disabled. Which could also
be what they are describing - might be considered a problem if the
password is sent in plain text. Doesn't seem to match the "low
privileged attacker with logon" bit however.

Options I see are:

* Mark the issue no-dsa.
* Update to the latest upstream version.
* Remove the packages and the reverse dependancies.

The full description of this bug:

"Vulnerability in the MySQL Connectors component of Oracle MySQL
(subcomponent: Connector/Python). Supported versions that are affected
are 2.1.5 and earlier. Easily "exploitable" vulnerability allows low
privileged attacker with logon to the infrastructure where MySQL
Connectors executes to compromise MySQL Connectors. Successful attacks
of this vulnerability can result in unauthorized update, insert or
delete access to some of MySQL Connectors accessible data. CVSS 3.0 Base
Score 3.3 (Integrity impacts). CVSS Vector:
(CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)."
-- 
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/

Reply to:

Prev by Date: Re: potrace
Next by Date: Wheezy update of openvpn?
Previous by thread: Wheezy update of tiff3?
Next by thread: Wheezy update of openvpn?
Index(es):
- Date
- Thread