Re: [debian-mysql] Updates to the mysql-8.0 package

To: Cyrille Bollu <Cyrille.Bollu@belnet.be>
Cc: debian-security-tracker@lists.debian.org
Subject: Re: [debian-mysql] Updates to the mysql-8.0 package
From: Robie Basak <robie.basak@ubuntu.com>
Date: Wed, 4 May 2022 13:51:26 +0100
Message-id: <[🔎] 20220504125126.GD3496@mal.justgohome.co.uk>
In-reply-to: <5fb6d424e9f548958cf4c2316b729ef1@exchwtc2.ad.fw.belnet.be>
References: <cc604517e1d543c5a5a5f647fa27ad74@exchwtc2.ad.fw.belnet.be> <20220504095606.GC3496@mal.justgohome.co.uk> <5fb6d424e9f548958cf4c2316b729ef1@exchwtc2.ad.fw.belnet.be>

[adding debian-security-tracker@lists.debian.org since I think this is
mistriaged in Debian's security tracker]

On Wed, May 04, 2022 at 10:27:42AM +0000, Cyrille Bollu wrote:
> The vulnerability report that I've received relates to CVE-2022-21363 which is purportedly fixed in mysql 8.0.29. 

I think (but am not sure and have not taken any steps to verify) that
this might be in the source package named mysql-connector-java, not the
source package named mysql-8.0. Ubuntu seems to think so:

https://ubuntu.com/security/cve-2022-21363

But Debian has listed this against mysql-8.0, which I'm not sure is
right:

https://security-tracker.debian.org/tracker/CVE-2022-21363

In Debian, mysql-connector-java is only available in Debian stretch (and
earlier), is out of regular security support, and is supported in Debian
LTS (https://wiki.debian.org/LTS) only for a few more months.

You mentioned you were using Ubuntu. In Ubuntu, it's available only in
18.04 ("Bionic") and earlier, and depends on community contributed
support since it's in Ubuntu's "universe" component. Security updates to
Ubuntu stable releases do not normally sync from Debian, and have to be
made separately. See
https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details on
Ubuntu's processes for this. If you'd like to prepare an update for the
mysql-connector-java package for Debian stretch and/or Ubuntu 18.04 then
I'm sure your contributions would be welcome in both places, but the
processes are different - please see the above links.

> So, I thought bringing mysql-8.0 up-to-date in Debian would bring the fix down to Ubuntu afterward. Isn't it how both projects work together?

Generally Debian and Ubuntu don't necessarily freeze on the same
versions, so usually it's done separately and manually though of course
we share what we can. It's only the development releases where things
flow from Debian to Ubuntu more directly.

> PS: I'm considering to help fixing vulnerabilities in Ubuntu/Debian for years (which I believe often just consist into updating packages) so I'm really eager for your feedback :-)

I hope the above helps! Any questions, please do ask.

Reply to:

Follow-Ups:
- Re: [debian-mysql] Updates to the mysql-8.0 package
  - From: Salvatore Bonaccorso <carnil@debian.org>
- RE: [debian-mysql] Updates to the mysql-8.0 package
  - From: Cyrille Bollu <Cyrille.Bollu@belnet.be>

Prev by Date: External check
Next by Date: External check
Previous by thread: External check
Next by thread: Re: [debian-mysql] Updates to the mysql-8.0 package
Index(es):
- Date
- Thread