Re: Security update of mysql-connector-java

Wed, 06 Jul 2016 13:14:30 -0700 

On Wed, Jun 22, 2016 at 06:19:08PM +0200, Markus Koschany wrote:
> On 22.06.2016 08:47, Moritz Mühlenhoff wrote:
> > On Wed, Jun 22, 2016 at 01:01:14AM +0200, Markus Koschany wrote:
> >> On 22.06.2016 00:43, Emmanuel Bourg wrote:
> >>> Le 22/06/2016 à 00:28, Markus Koschany a écrit :
> >>>
> >>>> Houston, we have a problem. It seems the latest upstream release
> >>>> requires Java 8 for building JDBC 4. In Jessie even Java 6 was
> >>>> sufficient. I suggest we ship version 5.1.34 of mysql-connector-java
> >>>> instead, which should build fine with Java 6/7 and also fix the security
> >>>> vulnerability. If there is a better way, please let me know.
> >>>
> >>> We could also ignore the JDBC 4.2 classes and build with Java 7. If I'm
> >>> not mistaken it's just a matter of removing this build step:
> >>>
> >>> https://sources.debian.net/src/mysql-connector-java/5.1.39-1/build.xml/#L903
> >>>
> >>> Emmanuel Bourg
> >>
> >> That might be a solution. Perhaps we should also disable the testsuite
> >> in
> >> https://sources.debian.net/src/mysql-connector-java/5.1.39-1/build.xml/#L962
> >>
> >> I am not sure if this would prevent all possible runtime errors though.
> >> This would require more testing. In any case we have two options:
> >> Patching 5.1.39 and make it compatible for Jessie /Wheezy or use 5.1.34
> >> directly.
> > 
> > I'd prefer to make 5.1.39 compatible, there might an additional 
> > mysql-connector-java
> > security issue in the future, for which 5.1.34 will be insufficient and 
> > then we
> > already have the java 7 compat sorted out.
> 
> Yup, but new vulnerabilities could well have been introduced after
> 5.1.34, thus we will never really know in advance, what approach had
> saved us more time.
> 
> I have pushed my update for Jessie, 5.1.39-1~deb8u1, to
> 
> https://anonscm.debian.org/cgit/pkg-java/mysql-connector-java.git/log/?h=jessie-security
> 
> The debdiff is huge so I didn't bother to attach it to this e-mail.
> 
> I have rebuilt all reverse build-dependencies successfully. I have also
> used the library to connect to a local mysql database. I couldn't spot
> obvious regressions but I would appreciate it if more people tested the
> new version.

Sorry for the late reply. Please upload, I'll take care of the update.

Cheers,
        Moritz

Reply via email to