Hi, Package mysql-connector-java is packaged in Debian up to stretch (and was replaced with mariadb-connector-java starting with buster). Consequently we need to provide security updates for a while longer.
Due to lack of disclosure from Oracle, we cannot identify (let alone backport) the individual patches. The other option is to follow stable branch 5.1.x. This was last done in 2017 with 5.1.42. The 3 recent vulnerabilities are an opportunity to refresh the package, so as not to have too big of a diff should a more critical vulnerability happen in the future. (Note: all 3 vulnerabilities are currently classified ignored due to "marginal CVSS score", but the scores are actually 5.0, 4.7 and 2.2 - out of 10.) I'm volunteering to provide an updated 5.1.49 package for Jessie and Stretch. As part of Debian ELTS I checked the feasibility and how to run the testsuite: https://www.beuc.net/tmp/debian-lts/ https://wiki.debian.org/LTS/TestSuites/mysql-connector-java Are you OK with this plan? Cheers! Sylvain
