- Package:
- src:mysql-connector-python
- Source:
- mysql-connector-python
- Submitter:
- Moritz Muehlenhoff
- Date:
- 2019-11-18 01:15:09 UTC
- Severity:
- serious
mysql-connector-python is affected by Oracle's policy of not disclosing
what security fixes they fix.
CVE-2019-2435 is labeled with a CVSS 8.1/10 score and only fixed in
8.x, while the version in stretch (2.1.x) is marked as vulnerable,
but no 2.1.9 release is available, i.e. we cannot effectively provide
a fix within stable only 20 months after stretch was released.
This renders mysql-connector-python unsuitable for inclusion in a stable
release with security support.
This leaves us with the following options for buster:
- There are no reverse dependencies in buster, remove it from testing
and hope that someone less hostile to the FLOSS community creates a
fork
- Aside from the packaged software and given that this is the only Python
binding for mysql/mariadb, there's most definitely a sizable number of
inhouse code using that module. Update src:debian-security-support to
mark mysql-connector-python as unsupported and add a README.Debian.security
which also documents this status within the package itself.
Cheers,
Moritz
Hello Moritz, i'm not sure what kind of input you're expecting from (if at all, and this RC is mostly for the RT), but i'll reply what kind of security support do Debian provide to the mysql server packages? $ apt-cache rdepends python-mysql.connector python-mysql.connector Reverse Depends: mysql-utilities mysql-workbench $ apt-cache rdepends python3-mysql.connector python3-mysql.connector Reverse Depends: openlp python3-sql so some packages, not many, didnt verity if they are in buster atm i think this is up to the security team to decide, no?
Dear Mortiz, There is also another Python connector for MariaDB/MySQL in the repos, `python3-mysqldb` and `python-mysqldb`. This is not a pure python package but a wrapper around C module.
Hello Moritz, could you please reply to the points made below? thanks!
Sorry, missed your reply.
None at all, they're only in unstable for that reason (Debian switched to MariaDB
which is more transparent).
mysql-utilities and mysql-workbench are not in buster.
openlp and python3-sql are.
IMHO ideally we'd not ship any code by Oracle and their ugly policies, but sometimes
(and especially late in the freeze), compromies/middlegrounds are necessary.
If you as the maintainer are fine with that, let's apply the policy buster and
revisit one year before bullseye, maybe there's a more friendly fork by then which
Debian can adopt.
Cheers,
Moritz
to reintroduce it -- Sandro "morph" Tosi My website: http://sandrotosi.me/ Me at Debian: http://wiki.debian.org/SandroTosi G+: https://plus.google.com/u/0/+SandroTosi