Debian Bug report logs -
#841677
mysql-connector-python: CVE-2016-5598
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 22 Oct 2016 06:30:01 UTC
Severity: grave
Tags: security, upstream
Found in version mysql-connector-python/2.1.3-1
Fixed in version mysql-connector-python/2.1.5-1
Done: Sandro Tosi <morph@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sandro Tosi <morph@debian.org>:
Bug#841677; Package src:mysql-connector-python.
(Sat, 22 Oct 2016 06:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sandro Tosi <morph@debian.org>.
(Sat, 22 Oct 2016 06:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mysql-connector-python
Version: 2.1.3-1
Severity: grave
Tags: security upstream
Hi,
the following vulnerability was published for mysql-connector-python.
CVE-2016-5598[0].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-5598
[1] http://www.oracle.com/technetwork/security-advisory/cpuoct2016verbose-2881725.html#MSQL
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Sandro Tosi <morph@debian.org>:
Bug#841677; Package src:mysql-connector-python.
(Thu, 03 Nov 2016 09:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Guido Günther <agx@sigxcpu.org>:
Extra info received and forwarded to list. Copy sent to Sandro Tosi <morph@debian.org>.
(Thu, 03 Nov 2016 09:45:03 GMT) (full text, mbox, link).
Message #10 received at 841677@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
On Sat, Oct 22, 2016 at 08:27:56AM +0200, Salvatore Bonaccorso wrote:
> Source: mysql-connector-python
> Version: 2.1.3-1
> Severity: grave
> Tags: security upstream
>
> Hi,
>
> the following vulnerability was published for mysql-connector-python.
>
> CVE-2016-5598[0].
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-5598
> [1] http://www.oracle.com/technetwork/security-advisory/cpuoct2016verbose-2881725.html#MSQL
>
> Please adjust the affected versions in the BTS as needed.
While 2.1.4 has other changes the only change in 2.0.5 is the CVE
fix. It seems this is caused by format string expansion in
_format_params_dict. I've attached the diff between 2.0.4 → 2.0.5. I
think wheezy is affected since it uses pythons format expansion there
but I'd be glad about a second opinion.
Cheers,
-- Guido
[2.0.4-2.0.5.diff (text/x-diff, attachment)]
Added tag(s) pending.
Request was from Sandro Tosi <morph@debian.org>
to control@bugs.debian.org.
(Sun, 18 Dec 2016 00:57:09 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#841677.
(Sun, 18 Dec 2016 00:57:12 GMT) (full text, mbox, link).
Message #15 received at 841677-submitter@bugs.debian.org (full text, mbox, reply):
tag 841677 pending
thanks
Hello,
Bug #841677 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.debian.org/?p=python-modules/packages/mysql-connector-python.git;a=commitdiff;h=9f578de
---
commit 9f578de14e410f7b55a5e7482a2fc2c5255c535f
Author: Sandro Tosi <morph@debian.org>
Date: Sat Dec 17 19:50:36 2016 -0500
fixes CVE-2016-5598; Closes: #841677
diff --git a/debian/changelog b/debian/changelog
index 89bf3cc..6bf9094 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
mysql-connector-python (2.1.5-1) UNRELEASED; urgency=medium
* New upstream release
+ - fixes CVE-2016-5598; Closes: #841677
* debian/copyright
- update upstream copyright years
* debian/control
@@ -10,7 +11,7 @@ mysql-connector-python (2.1.5-1) UNRELEASED; urgency=medium
- support MariaDB versioning schema and search binaries only in directories
with 'bin' in their name
- -- Sandro Tosi <morph@debian.org> Sat, 17 Dec 2016 19:48:07 -0500
+ -- Sandro Tosi <morph@debian.org> Sat, 17 Dec 2016 19:49:56 -0500
mysql-connector-python (2.1.3-1) unstable; urgency=medium
Reply sent
to Sandro Tosi <morph@debian.org>:
You have taken responsibility.
(Sun, 18 Dec 2016 01:21:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 18 Dec 2016 01:21:04 GMT) (full text, mbox, link).
Message #20 received at 841677-close@bugs.debian.org (full text, mbox, reply):
Source: mysql-connector-python
Source-Version: 2.1.5-1
We believe that the bug you reported is fixed in the latest version of
mysql-connector-python, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 841677@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sandro Tosi <morph@debian.org> (supplier of updated mysql-connector-python package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 17 Dec 2016 19:53:41 -0500
Source: mysql-connector-python
Binary: python-mysql.connector python3-mysql.connector
Architecture: source all
Version: 2.1.5-1
Distribution: unstable
Urgency: medium
Maintainer: Sandro Tosi <morph@debian.org>
Changed-By: Sandro Tosi <morph@debian.org>
Description:
python-mysql.connector - pure Python implementation of MySQL Client/Server protocol
python3-mysql.connector - pure Python implementation of MySQL Client/Server protocol (Pytho
Closes: 841677 848291
Changes:
mysql-connector-python (2.1.5-1) unstable; urgency=medium
.
* New upstream release
- fixes CVE-2016-5598; Closes: #841677
* debian/copyright
- update upstream copyright years
* debian/control
- adjust b-d to "default-mysql-server | virtual-mysql-server", for new
default mysql server provider; Closes: #848291
* debian/patches/support_alternative_mysqld_implementation.patch
- support MariaDB versioning schema and search binaries only in directories
with 'bin' in their name
* compat level 10
Checksums-Sha1:
ac36ba9a6c8a698ee9efb60929fa88eeedb36b9e 2326 mysql-connector-python_2.1.5-1.dsc
a65b87c83b834c376986d55f1323e2bd63202bb9 11767725 mysql-connector-python_2.1.5.orig.tar.gz
1f1efe80af4570bd4b5faeab62df9c1ec0942363 4548 mysql-connector-python_2.1.5-1.debian.tar.xz
0640e724619d1a5fad5a21cc438d759e55353911 6823 mysql-connector-python_2.1.5-1_amd64.buildinfo
2b1f3cd170927bbae080589903e825911998d390 99924 python-mysql.connector_2.1.5-1_all.deb
aa673a6ef9298ac1f3636a8c48f4509bb89eb5fb 99998 python3-mysql.connector_2.1.5-1_all.deb
Checksums-Sha256:
dd4fc144cc5c3bee0f8400c7f87485a05fc53c116e62ec20472d27b2817dc807 2326 mysql-connector-python_2.1.5-1.dsc
510a486eb56cfd5bd248025123efb2d249e1d35f211ad671fa4be2b7b2d1aeed 11767725 mysql-connector-python_2.1.5.orig.tar.gz
b6e5999256140144160c07cb0ba026ab2acb2cd056c22cfcdf1d47bfd663da18 4548 mysql-connector-python_2.1.5-1.debian.tar.xz
78519e56563d414ca36309210a295042528c67e9672b609915a2b90099c16adc 6823 mysql-connector-python_2.1.5-1_amd64.buildinfo
bf26453ffd638cbf1d8cd72e96992461719b2828539b3a78ba017fa654300a6f 99924 python-mysql.connector_2.1.5-1_all.deb
52b58eef4b6eb06a7b4387af83d32e50dc710680cb5cad2561895a68b6247763 99998 python3-mysql.connector_2.1.5-1_all.deb
Files:
3b6cf0b769e11871f912a65eddb4e61e 2326 python optional mysql-connector-python_2.1.5-1.dsc
8ff1b29e1af0da4d5a4d63b981b25a24 11767725 python optional mysql-connector-python_2.1.5.orig.tar.gz
823fac53ffa8e851f5676fdeaf7eeb83 4548 python optional mysql-connector-python_2.1.5-1.debian.tar.xz
92384e9c25f5a161228379ff8e98c717 6823 python optional mysql-connector-python_2.1.5-1_amd64.buildinfo
4adb2642daf34f91364732b58b6b38c3 99924 python optional python-mysql.connector_2.1.5-1_all.deb
a31c644deafe3c51d1ad5a22c9585457 99998 python optional python3-mysql.connector_2.1.5-1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEufrTGSrz5KUwnZ05h588mTgBqU8FAlhV3pMACgkQh588mTgB
qU8Pvw/+J64H1XenOMCjDuIBDiQYWhq1GT4G5Kn3xfGtJqSSzrqf3UCWX8PS4NMj
I7tanzPQfEqK3xd692Md80hUEz8WFeoAj3VLiCzfs+HBegrc8C38nKjJnZ/pCIx4
iY5oGwsmutnxX/0FAc04ZmyUkZILKZJ3VbWiPrQL6GtxaQZPI3UE6EUkN6pOvF/J
RwlYoG4hWmWjMtP7fD+dpHyGuy1lRu3TQNsGERXkdTb2ClY95Z5Hqqvav6maxpW6
6nSZBD1WaIHmmySWuUl0scJAR5CJ1EGBG7bjVf0p0czYc38j7Ll9DJY2WqHdU/3p
OcFXl5QJjmpndP5XXPxWhL0EOV33kn7+S8xWPvkXFWHaJOmmZkgqWGFDsSbzK1n2
f9vZQpMksRPaYvIHNg2/7xn6WJTAyqQ+/Lac+AHytrcUWPB2SABP/C6o6wLrF7JC
33Z8dnl3I9pO/RfWtkK9myyC+mVovKjNW4JStPqmpZhnRzgdUg2QE5T0RdSsfOxa
/d4iucvWVAoyVL6mqYi6Yq66PT5aP8E4A9mj2ZSBfjPzQ2l6sF5vj/Ylt8rzsmfm
tDeBCCjZguf2RZERZw2HSLZvlvV/Wtei7+CkGUyxn0UFjARvto4+2YRIAM/7aBo5
J3xHgfMYh4+8h/RIqaYb/MR5GbMna/ZS44bwUQ37/dyCckwK7vo=
=aDBh
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 27 Jan 2017 11:10:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:10:01 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon