RE: [debian-mysql] Updates to the mysql-8.0 package

To: Robie Basak <robie.basak@ubuntu.com>
Cc: "debian-security-tracker@lists.debian.org" <debian-security-tracker@lists.debian.org>
Subject: RE: [debian-mysql] Updates to the mysql-8.0 package
From: Cyrille Bollu <Cyrille.Bollu@belnet.be>
Date: Fri, 6 May 2022 07:44:28 +0000
Message-id: <[🔎] dbab496f9621438d90846421dda36e8f@exchwtc2.ad.fw.belnet.be>
In-reply-to: <[🔎] 20220504125126.GD3496@mal.justgohome.co.uk>
References: <cc604517e1d543c5a5a5f647fa27ad74@exchwtc2.ad.fw.belnet.be> <20220504095606.GC3496@mal.justgohome.co.uk> <5fb6d424e9f548958cf4c2316b729ef1@exchwtc2.ad.fw.belnet.be> <[🔎] 20220504125126.GD3496@mal.justgohome.co.uk>

Hi,

I've just realized that the mysql-connector-java package that we're using comes directly from oracle (https://dev.mysql.com/downloads/connector/j/).

Sorry for the noise and thanks for your support :-)

Best regards,

---
Cyrille Bollu
Belnet . ICT/Logistics 
WTC III
Simon Bolivarlaan 30-B2 Boulevard Simon Bolivar
1000 Brussel/Bruxelles 
België . Belgique
T: +32 2 790 33 33
F: +32 2 790 33 34
https://www.belnet.be
-----Original Message-----
From: Robie Basak <robie.basak@ubuntu.com> 
Sent: mercredi 4 mai 2022 14:51
To: Cyrille Bollu <Cyrille.Bollu@belnet.be>
Cc: debian-security-tracker@lists.debian.org
Subject: Re: [debian-mysql] Updates to the mysql-8.0 package

[adding debian-security-tracker@lists.debian.org since I think this is mistriaged in Debian's security tracker]

On Wed, May 04, 2022 at 10:27:42AM +0000, Cyrille Bollu wrote:
> The vulnerability report that I've received relates to CVE-2022-21363 which is purportedly fixed in mysql 8.0.29. 

I think (but am not sure and have not taken any steps to verify) that this might be in the source package named mysql-connector-java, not the source package named mysql-8.0. Ubuntu seems to think so:

https://ubuntu.com/security/cve-2022-21363

But Debian has listed this against mysql-8.0, which I'm not sure is
right:

https://security-tracker.debian.org/tracker/CVE-2022-21363

In Debian, mysql-connector-java is only available in Debian stretch (and earlier), is out of regular security support, and is supported in Debian LTS (https://wiki.debian.org/LTS) only for a few more months.

You mentioned you were using Ubuntu. In Ubuntu, it's available only in
18.04 ("Bionic") and earlier, and depends on community contributed support since it's in Ubuntu's "universe" component. Security updates to Ubuntu stable releases do not normally sync from Debian, and have to be made separately. See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details on Ubuntu's processes for this. If you'd like to prepare an update for the mysql-connector-java package for Debian stretch and/or Ubuntu 18.04 then I'm sure your contributions would be welcome in both places, but the processes are different - please see the above links.

> So, I thought bringing mysql-8.0 up-to-date in Debian would bring the fix down to Ubuntu afterward. Isn't it how both projects work together?

Generally Debian and Ubuntu don't necessarily freeze on the same versions, so usually it's done separately and manually though of course we share what we can. It's only the development releases where things flow from Debian to Ubuntu more directly.

> PS: I'm considering to help fixing vulnerabilities in Ubuntu/Debian 
> for years (which I believe often just consist into updating packages) 
> so I'm really eager for your feedback :-)

I hope the above helps! Any questions, please do ask.

Reply to:

References:
- Re: [debian-mysql] Updates to the mysql-8.0 package
  - From: Robie Basak <robie.basak@ubuntu.com>

Prev by Date: External check
Next by Date: External check
Previous by thread: Re: [debian-mysql] Updates to the mysql-8.0 package
Next by thread: Security JSON Schema
Index(es):
- Date
- Thread