Bug#912916: mysql-connector-java: CVE-2018-3258: allows low privileged attacker to compromise it
Moritz Muehlenhoff
jmm at inutil.org
Thu Nov 8 19:53:11 GMT 2018
On Thu, Nov 08, 2018 at 07:42:35PM +0100, Markus Koschany wrote:
> Am 08.11.18 um 19:34 schrieb Moritz Mühlenhoff:
> [...]
> > So upon a closer look this seems to only affect the 8.x releases of the
> > connector (Oracle only lists those affected release series which are
> > affected and this only lists 8.x, while 5.1.x is still supported; there's
> > a 5.1.47 release).
> >
> > Still, this is good example why we should phase out mysql-connector-java
> > in favour of the more transparent mariadb-connector-java, so let's maybe
> > reuse this bug for tracking this? (Especially given Tony's experience
> > that the migration is rather straightforward).
>
> I'm currently working on updating the affected packages. I intend to
> complete this at the weekend. Some packages are not maintained by the
> Java team, so I will retitle this bug report and file bugs for those
> packages that block the removal of mysql-connector-java. I will CC you
> once I have made some progress.
Great, thanks! Much appreciated.
Cheers,
Moritz
More information about the pkg-java-maintainers
mailing list