Re: CVE-2017-3590 in mysql-connector-python

To: Markus Koschany <apo@debian.org>
Cc: debian-lts@lists.debian.org
Subject: Re: CVE-2017-3590 in mysql-connector-python
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Thu, 10 Aug 2017 18:28:02 +0200
Message-id: <[🔎] 20170810162802.t3msjdfx6vr36ruh@pisco.westfalen.local>
In-reply-to: <[🔎] a2e7e925-2d0e-6642-b74e-a73b03cdad80@debian.org>
References: <[🔎] 20170810152904.j77i6aqpkzgmgmbh@hle-laptop.local> <[🔎] a2e7e925-2d0e-6642-b74e-a73b03cdad80@debian.org>

On Thu, Aug 10, 2017 at 12:02:58PM -0400, Markus Koschany wrote:
> On 10/08/17 11:29, Hugo Lefeuvre wrote:
> > Hi,
> > 
> > mysql-connector-python is affected by CVE-2017-3590.
> > 
> > Since we cannot extract the fix from the upstream patch, the only way to solve
> > the issue is to backport 2.6.1-1 to wheezy. However this issue is no-dsa
> > in Jessie, which has 1.2.3-2.
> > 
> > If I backport 2.6.1 to wheezy, wheezy will have a newer version than jessie.
> > 
> > Should I mark the issue no-dsa in this case ?
> 
> It appears that CVE-2017-3590 can only be exploited locally. We could also
> postpone the update and wait for more important issues and fix this issue
> later.

Also sounds fine. CVSS score is also very low (that's where the no-dsa is
coming from).

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Re: CVE-2017-3590 in mysql-connector-python
  - From: Hugo Lefeuvre <hle@debian.org>

References:
- CVE-2017-3590 in mysql-connector-python
  - From: Hugo Lefeuvre <hle@debian.org>
- Re: CVE-2017-3590 in mysql-connector-python
  - From: Markus Koschany <apo@debian.org>

Prev by Date: Re: CVE-2017-3590 in mysql-connector-python
Next by Date: Re: CVE-2017-3590 in mysql-connector-python
Previous by thread: Re: CVE-2017-3590 in mysql-connector-python
Next by thread: Re: CVE-2017-3590 in mysql-connector-python
Index(es):
- Date
- Thread