Re: Refreshing mysql-connector-java
Hi Security Team,
What is your view on updating mysql-connector-java 5.1.42->5.1.49 for
Would you need a complete debdiff specifically for Stretch to make a
decision, or do you already have feedback on this proposal?
On 11/05/2020 13:51, Sylvain Beucler wrote:
> On 08/05/2020 11:39, Chris Lamb wrote:
>>> The 3 recent vulnerabilities are an opportunity to refresh the package,
>>> so as not to have too big of a diff should a more critical vulnerability
>>> happen in the future.
>> No objections in theory but I am finding it difficult to gauge the
>> risk of introducing problems by refreshing this package without
>> knowing much about it.
>> (Do we have an idea of how big the debdiff would be for this initial
> I had published the wheezy debdiff at:
> It's big (700kB), but it will keep growing bigger.
>> Have we had issues in the past?
> Maybe Markus (as last uploader) or Emmanuel (former maintainer) have
> feedback on upgrading libmysql-connector-java to the latest stable
> dot-release 5.1.42->5.1.49?
>> Is there another metric we can use?)
> The test suite is a good indicator of whether regressions occurred:
> So far I didn't see regressions, there are still some failing tests (in
> current and proposed versions) that requires some classpath fiddling,
> which I'll tackle if we follow this path.
> More generally, the "not updating the package" alternative also has
> consequences, namely not fixing 3 opaque vulnerabilities of varying
> severity, and reduced ability to fix a severe issue in the future.
> The "backporting the patches" alternative seems unpractical since even
> with the changelog, I'm not able to distinguish what is a bug fix and
> what is vulnerability fix, neither in this upload nor in the last.
> The "drop security support" alternative can be considered as well,
> though given that we do have a stable branch from upstream, this sounds
> a bit harsh.
> The "replace with a mariadb-connector-java backport" alternative is
> likely to introduce more issues, starting with having a different Java
> package name.
> So do we refresh mysql-connector-java in all affected suites? :)
On 11/05/2020 18:42, Emmanuel Bourg wrote:
> Le 11/05/2020 à 13:51, Sylvain Beucler a écrit :
>> Maybe Markus (as last uploader) or Emmanuel (former maintainer) have
>> feedback on upgrading libmysql-connector-java to the latest stable
>> dot-release 5.1.42->5.1.49?
> The MySQL connector is rather stable and upgrading it is usually a safe
> operation, because applications are coded for the JDBC API (provided by
> the JDK) and don't use internal classes from the connector. In 15 years
> I've personally never seen any regression with my applications after
> upgrading the MySQL connector.
> Emmanuel Bourg