Re: CVE-2017-3590 in mysql-connector-python

2017-08-10 Thread Hugo Lefeuvre
> > It appears that CVE-2017-3590 can only be exploited locally. We could also > > postpone the update and wait for more important issues and fix this issue > > later. > > Also sounds fine. CVSS score is also very low (that's where the no-dsa is > coming from). Fine. I'll wait for more issues and

Re: CVE-2017-3590 in mysql-connector-python

2017-08-10 Thread Moritz Mühlenhoff
On Thu, Aug 10, 2017 at 12:02:58PM -0400, Markus Koschany wrote: > On 10/08/17 11:29, Hugo Lefeuvre wrote: > > Hi, > > > > mysql-connector-python is affected by CVE-2017-3590. > > > > Since we cannot extract the fix from the upstream patch, the only way to >

Re: CVE-2017-3590 in mysql-connector-python

2017-08-10 Thread Markus Koschany
On 10/08/17 11:29, Hugo Lefeuvre wrote: Hi, mysql-connector-python is affected by CVE-2017-3590. Since we cannot extract the fix from the upstream patch, the only way to solve the issue is to backport 2.6.1-1 to wheezy. However this issue is no-dsa in Jessie, which has 1.2.3-2. If I backport

Re: CVE-2017-3590 in mysql-connector-python

2017-08-10 Thread Moritz Mühlenhoff
On Thu, Aug 10, 2017 at 11:29:04AM -0400, Hugo Lefeuvre wrote: > Hi, > > mysql-connector-python is affected by CVE-2017-3590. > > Since we cannot extract the fix from the upstream patch, the only way to solve > the issue is to backport 2.6.1-1 to wheezy. However this issue is

CVE-2017-3590 in mysql-connector-python

2017-08-10 Thread Hugo Lefeuvre
Hi, mysql-connector-python is affected by CVE-2017-3590. Since we cannot extract the fix from the upstream patch, the only way to solve the issue is to backport 2.6.1-1 to wheezy. However this issue is no-dsa in Jessie, which has 1.2.3-2. If I backport 2.6.1 to wheezy, wheezy will have a newer

mysql-connector-python

2017-05-12 Thread Brian May
CCed to security team because this affects wheezy all the way through to sid. I think we have limited options, I don't think trying to generate a patch to this is worthwhile. The scarse information on the vulnerability, or how to test it, is likely to make this very difficult. Especially consideri

Re: Wheezy update of mysql-connector-python?

2016-11-04 Thread Sandro Tosi
thanks for contacting me On Sat, Oct 22, 2016 at 2:39 PM, Chris Lamb wrote: > If you don't want to take care of this update, it's not a problem, we > will do our best with your package. Just let us know whether you would > like to review and/or test the updated package before it gets released. i

Wheezy update of mysql-connector-python?

2016-10-22 Thread Chris Lamb
Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of mysql-connector-python: https://security-tracker.debian.org/tracker/source-package/mysql-connector-python Would you like to take care of this yourself? If yes