Bug#912916: mysql-connector-java: CVE-2018-3258: allows low privileged attacker to compromise it
Moritz Mühlenhoff
jmm at inutil.org
Mon Nov 5 13:13:39 GMT 2018
On Sun, Nov 04, 2018 at 10:35:42PM +0100, Markus Koschany wrote:
> Package: mysql-connector-java
> X-Debbugs-CC: team at security.debian.org
> Severity: grave
> Tags: security
>
> Hi,
>
> The following vulnerability was published for mysql-connector-java.
>
> CVE-2018-3258[0]:
> | Vulnerability in the MySQL Connectors component of Oracle MySQL
> | (subcomponent: Connector/J). Supported versions that are affected are
> | 8.0.12 and prior. Easily exploitable vulnerability allows low
> | privileged attacker with network access via multiple protocols to
> | compromise MySQL Connectors. Successful attacks of this vulnerability
> | can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.8
> | (Confidentiality, Integrity and Availability impacts). CVSS Vector:
> | (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The Java connector follows the horrible Oracle policy of not disclosing
vulnerability information. Given that we now have mariadb-connector-java
in the archive (with a transparent upstream), can we migrate existing
reverse deps towards libmariadb-java and simply get rid of libmysql-java?
List of buils deps is rather short:
jabref
pegasus-wms
jython
osmosis
netbeans
igv (non-free)
Cheers,
Moritz
More information about the pkg-java-maintainers
mailing list