[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2017-3590 in mysql-connector-python

On 10/08/17 11:29, Hugo Lefeuvre wrote:

mysql-connector-python is affected by CVE-2017-3590.

Since we cannot extract the fix from the upstream patch, the only way to solve
the issue is to backport 2.6.1-1 to wheezy. However this issue is no-dsa
in Jessie, which has 1.2.3-2.

If I backport 2.6.1 to wheezy, wheezy will have a newer version than jessie.

Should I mark the issue no-dsa in this case ?

It appears that CVE-2017-3590 can only be exploited locally. We could also postpone the update and wait for more important issues and fix this issue later.



Reply to: