Refreshing mysql-connector-java

To: Debian LTS <debian-lts@lists.debian.org>, Debian Security Team <team@security.debian.org>
Subject: Refreshing mysql-connector-java
From: Sylvain Beucler <beuc@beuc.net>
Date: Thu, 7 May 2020 16:29:33 +0200
Message-id: <[🔎] a7c8207c-16ad-e327-d7a5-863864bfb5ef@beuc.net>

Hi,

Package mysql-connector-java is packaged in Debian up to stretch (and
was replaced with mariadb-connector-java starting with buster).
Consequently we need to provide security updates for a while longer.

Due to lack of disclosure from Oracle, we cannot identify (let alone
backport) the individual patches. The other option is to follow stable
branch 5.1.x. This was last done in 2017 with 5.1.42.

The 3 recent vulnerabilities are an opportunity to refresh the package,
so as not to have too big of a diff should a more critical vulnerability
happen in the future.
(Note: all 3 vulnerabilities are currently classified ignored due to
"marginal CVSS score", but the scores are actually 5.0, 4.7 and 2.2 -
out of 10.)

I'm volunteering to provide an updated 5.1.49 package for Jessie and
Stretch.

As part of Debian ELTS I checked the feasibility and how to run the
testsuite:
https://www.beuc.net/tmp/debian-lts/
https://wiki.debian.org/LTS/TestSuites/mysql-connector-java

Are you OK with this plan?

Cheers!
Sylvain

Reply to:

Follow-Ups:
- Re: Refreshing mysql-connector-java
  - From: "Chris Lamb" <lamby@debian.org>

Prev by Date: Re: mumble package / CVE-2018-20743
Next by Date: keystone support in Jessie
Previous by thread: Re: mumble package / CVE-2018-20743
Next by thread: Re: Refreshing mysql-connector-java
Index(es):
- Date
- Thread