[Git][security-tracker-team/security-tracker][master] 3 commits: Remove mysql-connector-java from dla-needed.txt

Markus Koschany (@apo) apo at debian.org
Sat May 28 15:46:40 BST 2022 


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a64575f9 by Markus Koschany at 2022-05-28T16:35:50+02:00
Remove mysql-connector-java from dla-needed.txt

mysql-connector-java requires a new upstream release because details about
CVE-2022-21363 are not available and thus a patch cannot be backported.

The new version supports only mysql 8.x and 5.7. It requires Java 8 and at
least libprotobuf-java 3.12.4, currently only available in Bullseye.

Since the MySQL package has been replaced by MariaDB there is no real consumer
of mysql-connector-java in Stretch anymore. Since a new version of protobuf is
required (a new source package would be the most sensible approach), it makes
more sense to mark mysql-connector-java as EOL now.

A working package can be found on the experimental branch in Git at

https://salsa.debian.org/java-team/mysql-connector-java/-/tree/experimental

but there are no plans to upload it to Stretch at the moment.

- - - - -
0d30607a by Markus Koschany at 2022-05-28T16:43:41+02:00
CVE-2022-21363,mysql-connector-java: end-of-life in Stretch

- - - - -
62cefbc3 by Markus Koschany at 2022-05-28T16:46:19+02:00
Claim pngcheck in dla-needed.txt

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -37747,6 +37747,7 @@ CVE-2022-21364 (Vulnerability in the PeopleSoft Enterprise PeopleTools product o
 	NOT-FOR-US: Oracle
 CVE-2022-21363 (Vulnerability in the MySQL Connectors product of Oracle MySQL (compone ...)
 	- mysql-connector-java <removed>
+	[stretch] - mysql-connector-java <end-of-life> (MySQL has been replaced with MariaDB)
 CVE-2022-21362 (Vulnerability in the MySQL Server product of Oracle MySQL (component:  ...)
 	- mysql-8.0 8.0.29-1
 CVE-2022-21361 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...)


=====================================
data/dla-needed.txt
=====================================
@@ -152,9 +152,6 @@ mbedtls (Utkarsh)
 modsecurity-crs
   NOTE: 20220524: Follow buster: harmonize with with Debian 10.2 and 10.11 (2 CVEs) (Beuc/front-desk)
 --
-mysql-connector-java (Markus Koschany)
-  NOTE: 20220512: Requires a new upstream version. (apo)
---
 ncurses
   NOTE: 20220524: Follow buster: harmonize with with Debian 10.2 (2-3 CVEs + some non-CVE'd issues) (Beuc/front-desk)
 --
@@ -194,7 +191,7 @@ pjproject (Abhijith PA)
 plinth
   NOTE: 20220524: Follow buster: harmonize with with Debian 10.7 and 10.10 (2 CVEs) (Beuc/front-desk)
 --
-pngcheck
+pngcheck (Markus Koschany)
   NOTE: 20220524: Follow buster: harmonize with with Debian 10.8 (1 CVE) (Beuc/front-desk)
 --
 postgresql-9.6



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6d12ad33ae037fe4eda4983d93a031a77e2a5692...62cefbc3566f43f4791a3775d7ac0a7cd69e0399

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6d12ad33ae037fe4eda4983d93a031a77e2a5692...62cefbc3566f43f4791a3775d7ac0a7cd69e0399
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220528/a9a9b93d/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list