Bug#912916: mysql-connector-java: CVE-2018-3258: allows low privileged attacker to compromise it
tony mancill
tmancill at debian.org
Thu Nov 8 06:00:11 GMT 2018
On Mon, Nov 05, 2018 at 04:54:55PM +0100, Markus Koschany wrote:
>
> Am 05.11.18 um 14:13 schrieb Moritz Mühlenhoff:
> [...]
> > The Java connector follows the horrible Oracle policy of not disclosing
> > vulnerability information. Given that we now have mariadb-connector-java
> > in the archive (with a transparent upstream), can we migrate existing
> > reverse deps towards libmariadb-java and simply get rid of libmysql-java?
> >
> > List of buils deps is rather short:
> >
> > jabref
> > pegasus-wms
> > jython
> > osmosis
> > netbeans
> > igv (non-free)
>
> I agree it would be nice if we could replace mysql-connector-java with
> the MariaDB version. I don't know how much effort is required to make
> the switch, hopefully it is just a drop-in-replacement. I think we
> should file bugs and let's see how it goes. I can do that.
>
> There are a few more r-deps for libmysql-java
>
> apt-cache rdepends libmysql-java
>
> Reverse Depends:
> jabref
> solr-common
> |sqlline
> pegasus-wms
> osmosis
> libnb-ide14-java
> solr-common
> |libreoffice-canzeley-client
> libreoffice-base-drivers
> jython
> jclic
> jameica
jabref can be removed from this list after the most recent upload. I
only had to update the (java) package name in the sources - i.e.:
- "com.mysql.jdbc.Driver",
+ "org.mariadb.jdbc.Driver",
At runtime, the mariadb-java-client JAR does seem to be a drop-in
replacement. I tested against mysql-5.7 both before and after the
change, and was able to use the same connection string, etc.
The information on the MariaDB Connector/J page [1] was helpful.
Cheers,
tony
[1] https://mariadb.com/kb/en/library/about-mariadb-connector-j/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20181107/20dac76e/attachment-0001.sig>
More information about the pkg-java-maintainers
mailing list