On Mon, Nov 05, 2018 at 02:13:39PM +0100, Moritz Mühlenhoff wrote:
> On Sun, Nov 04, 2018 at 10:35:42PM +0100, Markus Koschany wrote:
> > Package: mysql-connector-java
> > X-Debbugs-CC: t...@security.debian.org
> > Severity: grave
> > Tags: security
> >
> > Hi,
> >
> > The following vulnerability was published for mysql-connector-java.
> >
> > CVE-2018-3258[0]:
> > | Vulnerability in the MySQL Connectors component of Oracle MySQL
> > | (subcomponent: Connector/J). Supported versions that are affected are
> > | 8.0.12 and prior. Easily exploitable vulnerability allows low
> > | privileged attacker with network access via multiple protocols to
> > | compromise MySQL Connectors. Successful attacks of this vulnerability
> > | can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.8
> > | (Confidentiality, Integrity and Availability impacts). CVSS Vector:
> > | (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
So upon a closer look this seems to only affect the 8.x releases of the
connector (Oracle only lists those affected release series which are
affected and this only lists 8.x, while 5.1.x is still supported; there's
a 5.1.47 release).
Still, this is good example why we should phase out mysql-connector-java
in favour of the more transparent mariadb-connector-java, so let's maybe
reuse this bug for tracking this? (Especially given Tony's experience
that the migration is rather straightforward).
Cheers,
Moritz
