Hi Mirco, On Tue, Jan 23, 2018 at 01:37:51PM +0800, Mirco Bauer wrote: > severity 887751 important > thanks > > Hello Guido, > > thank you for the report. > > CVE-2018-2585 has been rated by the Debian security as a minor issue [0]. > You have bumped the severity from important to grave without an > explanation.
It only went in as important because I messed up the original report, sorry about that. > Is there something you want to share? I marked it as no-dsa in the security tracker because I don't see a sensible way to fix this in stable / oldstable (given Oracle's update policy) and due to the affected reverse dependencies we currently have in these releases. But deem the issue it important enough to not let the package slip into a stable release again "accidentally". Does this make sense? Cheers, -- Guido > [0]: [1]https://security-tracker.debian.org/tracker/CVE-2018-2585 > Best regards, > > Mirco (meebey) Bauer > > FOSS Hacker [2]mee...@meebey.net [3]https://www.meebey.net/ > Debian Developer [4]mee...@debian.org [5]http://www.debian.org/ > GNOME Foundation Member [6]mmmba...@gnome.org [7]http://www.gnome.org/ > CTO @ Gatecoin Ltd. [8]mi...@gatecoin.com [9]https://gatecoin.com/ > .NET Foundation Advisory Council Member > [10]http://www.dotnetfoundation.org/ > PGP-Key ID 0x7127E5ABEEF946C8 > [11]https://meebey.net/pubkey.asc > On Sat, Jan 20, 2018 at 12:38 AM, Guido Günther <[12]a...@sigxcpu.org> > wrote: > > Package: mysql-connector-net > X-Debbugs-CC: [13]t...@security.debian.org > [14]secure-testing-t...@lists.alioth.debian.org > Severity: important > Tags: grave > Version: 6.4.3-2 > > Hi, > > the following vulnerability was published for mysql-connector-net. > > CVE-2018-2585[0]: > | Vulnerability in the MySQL Connectors component of Oracle MySQL > | (subcomponent: Connector/Net). Supported versions that are affected > | are 6.9.9 and prior and 6.10.4 and prior. Easily exploitable > | vulnerability allows unauthenticated attacker with network access via > | multiple protocols to compromise MySQL Connectors. Successful attacks > | of this vulnerability can result in unauthorized ability to cause a > | hang or frequently repeatable crash (complete DOS) of MySQL > | Connectors. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS > | Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] [15]https://security-tracker.debian.org/tracker/CVE-2018-2585 > [16]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2585 > > Please adjust the affected versions in the BTS as needed. > > _______________________________________________ > pkg-cli-libs-team mailing list > [17]pkg-cli-libs-t...@lists.alioth.debian.org > > [18]http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-cli-libs-team > > References > > Visible links > 1. https://security-tracker.debian.org/tracker/CVE-2018-2585 > 2. mailto:mee...@meebey.net > 3. https://www.meebey.net/ > 4. mailto:mee...@debian.org > 5. http://www.debian.org/ > 6. mailto:mmmba...@gnome.org > 7. http://www.gnome.org/ > 8. mailto:mi...@gatecoin.com > 9. https://gatecoin.com/ > 10. http://www.dotnetfoundation.org/ > 11. https://meebey.net/pubkey.asc > 12. mailto:a...@sigxcpu.org > 13. mailto:t...@security.debian.org > 14. mailto:secure-testing-t...@lists.alioth.debian.org > 15. https://security-tracker.debian.org/tracker/CVE-2018-2585 > 16. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2585 > 17. mailto:pkg-cli-libs-t...@lists.alioth.debian.org > 18. > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-cli-libs-team
