Package mysql-connector-java is packaged in Debian up to stretch (and
was replaced with mariadb-connector-java starting with buster).
Consequently we need to provide security updates for a while longer.
Due to lack of disclosure from Oracle, we cannot identify (let alone
backport) the individual patches. The other option is to follow stable
branch 5.1.x. This was last done in 2017 with 5.1.42.
The 3 recent vulnerabilities are an opportunity to refresh the package,
so as not to have too big of a diff should a more critical vulnerability
happen in the future.
(Note: all 3 vulnerabilities are currently classified ignored due to
"marginal CVSS score", but the scores are actually 5.0, 4.7 and 2.2 -
out of 10.)
I'm volunteering to provide an updated 5.1.49 package for Jessie and
As part of Debian ELTS I checked the feasibility and how to run the
Are you OK with this plan?