Hi, I've just realized that the mysql-connector-java package that we're using comes directly from oracle (https://dev.mysql.com/downloads/connector/j/).
Sorry for the noise and thanks for your support :-) Best regards, --- Cyrille Bollu Belnet . ICT/Logistics WTC III Simon Bolivarlaan 30-B2 Boulevard Simon Bolivar 1000 Brussel/Bruxelles Belgiƫ . Belgique T: +32 2 790 33 33 F: +32 2 790 33 34 https://www.belnet.be -----Original Message----- From: Robie Basak <[email protected]> Sent: mercredi 4 mai 2022 14:51 To: Cyrille Bollu <[email protected]> Cc: [email protected] Subject: Re: [debian-mysql] Updates to the mysql-8.0 package [adding [email protected] since I think this is mistriaged in Debian's security tracker] On Wed, May 04, 2022 at 10:27:42AM +0000, Cyrille Bollu wrote: > The vulnerability report that I've received relates to CVE-2022-21363 which > is purportedly fixed in mysql 8.0.29. I think (but am not sure and have not taken any steps to verify) that this might be in the source package named mysql-connector-java, not the source package named mysql-8.0. Ubuntu seems to think so: https://ubuntu.com/security/cve-2022-21363 But Debian has listed this against mysql-8.0, which I'm not sure is right: https://security-tracker.debian.org/tracker/CVE-2022-21363 In Debian, mysql-connector-java is only available in Debian stretch (and earlier), is out of regular security support, and is supported in Debian LTS (https://wiki.debian.org/LTS) only for a few more months. You mentioned you were using Ubuntu. In Ubuntu, it's available only in 18.04 ("Bionic") and earlier, and depends on community contributed support since it's in Ubuntu's "universe" component. Security updates to Ubuntu stable releases do not normally sync from Debian, and have to be made separately. See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details on Ubuntu's processes for this. If you'd like to prepare an update for the mysql-connector-java package for Debian stretch and/or Ubuntu 18.04 then I'm sure your contributions would be welcome in both places, but the processes are different - please see the above links. > So, I thought bringing mysql-8.0 up-to-date in Debian would bring the fix > down to Ubuntu afterward. Isn't it how both projects work together? Generally Debian and Ubuntu don't necessarily freeze on the same versions, so usually it's done separately and manually though of course we share what we can. It's only the development releases where things flow from Debian to Ubuntu more directly. > PS: I'm considering to help fixing vulnerabilities in Ubuntu/Debian > for years (which I believe often just consist into updating packages) > so I'm really eager for your feedback :-) I hope the above helps! Any questions, please do ask.
