Hi Security Team, What is your view on updating mysql-connector-java 5.1.42->5.1.49 for Stretch?
Would you need a complete debdiff specifically for Stretch to make a decision, or do you already have feedback on this proposal? Cheers! Sylvain On 11/05/2020 13:51, Sylvain Beucler wrote: > On 08/05/2020 11:39, Chris Lamb wrote: >>> The 3 recent vulnerabilities are an opportunity to refresh the package, >>> so as not to have too big of a diff should a more critical vulnerability >>> happen in the future. >> >> No objections in theory but I am finding it difficult to gauge the >> risk of introducing problems by refreshing this package without >> knowing much about it. >> >> (Do we have an idea of how big the debdiff would be for this initial >> upload? > > I had published the wheezy debdiff at: > https://www.beuc.net/tmp/debian-lts/mysql-connector-java/ > > It's big (700kB), but it will keep growing bigger. > >> Have we had issues in the past? > > Maybe Markus (as last uploader) or Emmanuel (former maintainer) have > feedback on upgrading libmysql-connector-java to the latest stable > dot-release 5.1.42->5.1.49? > >> Is there another metric we can use?) > > The test suite is a good indicator of whether regressions occurred: > https://wiki.debian.org/LTS/TestSuites/mysql-connector-java > > So far I didn't see regressions, there are still some failing tests (in > current and proposed versions) that requires some classpath fiddling, > which I'll tackle if we follow this path. > > > More generally, the "not updating the package" alternative also has > consequences, namely not fixing 3 opaque vulnerabilities of varying > severity, and reduced ability to fix a severe issue in the future. > > The "backporting the patches" alternative seems unpractical since even > with the changelog, I'm not able to distinguish what is a bug fix and > what is vulnerability fix, neither in this upload nor in the last. > > The "drop security support" alternative can be considered as well, > though given that we do have a stable branch from upstream, this sounds > a bit harsh. > > The "replace with a mariadb-connector-java backport" alternative is > likely to introduce more issues, starting with having a different Java > package name. > > > So do we refresh mysql-connector-java in all affected suites? :) On 11/05/2020 18:42, Emmanuel Bourg wrote: > Le 11/05/2020 à 13:51, Sylvain Beucler a écrit : >> Maybe Markus (as last uploader) or Emmanuel (former maintainer) have >> feedback on upgrading libmysql-connector-java to the latest stable >> dot-release 5.1.42->5.1.49? > > The MySQL connector is rather stable and upgrading it is usually a safe > operation, because applications are coded for the JDBC API (provided by > the JDK) and don't use internal classes from the connector. In 15 years > I've personally never seen any regression with my applications after > upgrading the MySQL connector. > > Emmanuel Bourg
