opensuse-su-2020:0430-1
Vulnerability from csaf_opensuse
Published
2020-03-31 13:08
Modified
2020-03-31 13:08
Summary
Security update for python-mysql-connector-python

Notes

Title of the patch
Security update for python-mysql-connector-python
Description of the patch
This update for python-mysql-connector-python fixes the following issues: python-mysql-connector-python was updated to 8.0.19 (boo#1122204 - CVE-2019-2435): - WL#13531: Remove xplugin namespace - WL#13372: DNS SRV support - WL#12738: Specify TLS ciphers to be used by a client or session - BUG#30270760: Fix reserved filed should have a length of 22 - BUG#29417117: Close file in handle load data infile - WL#13330: Single C/Python (Win) MSI installer - WL#13335: Connectors should handle expired password sandbox without SET operations - WL#13194: Add support for Python 3.8 - BUG#29909157: Table scans of floats causes memory leak with the C extension - BUG#25349794: Add read_default_file alias for option_files in connect() - WL#13155: Support new utf8mb4 bin collation - WL#12737: Add overlaps and not_overlaps as operator - WL#12735: Add README.rst and CONTRIBUTING.rst files - WL#12227: Indexing array fields - WL#12085: Support cursor prepared statements with C extension - BUG#29855733: Fix error during connection using charset and collation combination - BUG#29833590: Calling execute() should fetch active results - BUG#21072758: Support for connection attributes classic - WL#12864: Upgrade of Protobuf version to 3.6.1 - WL#12863: Drop support for Django versions older than 1.11 - WL#12489: Support new session reset functionality - WL#12488: Support for session-connect-attributes - WL#12297: Expose metadata about the source and binaries - WL#12225: Prepared statement support - BUG#29324966: Add missing username connection argument for driver compatibility - BUG#29278489: Fix wrong user and group for Solaris packages - BUG#29001628: Fix access by column label in Table.select() - BUG#28479054: Fix Python interpreter crash due to memory corruption - BUG#27897881: Empty LONG BLOB throws an IndexError - BUG#29260128: Disable load data local infile by default - WL#12607: Handling of Default Schema - WL#12493: Standardize count method - WL#12492: Be prepared for initial notice on connection - BUG#28646344: Remove expression parsing on values - BUG#28280321: Fix segmentation fault when using unicode characters in tables - BUG#27794178: Using use_pure=False should raise an error if cext is not available - BUG#27434751: Add a TLS/SSL option to verify server name - WL#12239: Add support for Python 3.7 - WL#12226: Implement connect timeout - WL#11897: Implement connection pooling for xprotocol - BUG#28278352: C extension mysqlx Collection.add() leaks memory in sequential calls - BUG#28037275: Missing bind parameters causes segfault or unclear error message - BUG#27528819: Support special characters in the user and password using URI - WL#11951: Consolidate discrepancies between pure and c extension - WL#11932: Remove Fabric support - WL#11898: Core API v1 alignment - BUG#28188883: Use utf8mb4 as the default character set - BUG#28133321: Fix incorrect columns names representing aggregate functions - BUG#27962293: Fix Django 2.0 and MySQL 8.0 compatibility issues - BUG#27567999: Fix wrong docstring in ModifyStatement.patch() - BUG#27277937: Fix confusing error message when using an unsupported collation - BUG#26834200: Deprecate Row.get_string() method - BUG#26660624: Fix missing install option in documentation - WL#11668: Add SHA256_MEMORY authentication mechanism - WL#11614: Enable C extension by default - WL#11448: New document _id generation support - WL#11282: Support new locking modes NOWAIT and SKIP LOCKED - BUG#27639119: Use a list of dictionaries to store warnings - BUG#27634885: Update error codes for MySQL 8.0.11 - BUG#27589450: Remove upsert functionality from WriteStatement class - BUG#27528842: Fix internal queries open for SQL injection - BUG#27364914: Cursor prepared statements do not convert strings - BUG#24953913: Fix failing unittests - BUG#24948205: Results from JSON_TYPE() are returned as bytearray - BUG#24948186: JSON type results are bytearray instead of corresponding python type - WL#11372: Remove configuration API - WL#11303: Remove CreateTable and CreateView - WL#11281: Transaction savepoints - WL#11278: Collection.create_index - WL#11149: Create Pylint test for mysqlx - WL#11142: Modify/MergePatch - WL#11079: Add support for Python 3.6 - WL#11073: Add caching_sha2_password authentication plugin - WL#10975: Add Single document operations - WL#10974: Add Row locking methods to find and select operations - WL#10973: Allow JSON types as operands for IN operator - WL#10899: Add support for pure Python implementation of Protobuf - WL#10771: Add SHA256 authentication - WL#10053: Configuration handling interface - WL#10772: Cleanup Drop APIs - WL#10770: Ensure all Session connections are secure by default - WL#10754: Forbid modify() and remove() with no condition - WL#10659: Support utf8mb4 as default charset - WL#10658: Remove concept of NodeSession - WL#10657: Move version number to 8.0 - WL#10198: Add Protobuf C++ extension implementation - WL#10004: Document UUID generation - BUG#26175003: Fix Session.sql() when using unicode SQL statements with Python 2.7 - BUG#26161838: Dropping an non-existing index should succeed silently - BUG#26160876: Fix issue when using empty condition in Collection.remove() and Table.delete() - BUG#26029811: Improve error thrown when using an invalid parameter in bind() - BUG#25991574: Fix Collection.remove() and Table.delete() missing filters - WL#10452: Add Protobuf C++ extension for Linux variants and Mac OSX - WL#10081: DevAPI: IPv6 support - BUG#25614860: Fix defined_as method in the view creation - BUG#25519251: SelectStatement does not implement order_by() method - BUG#25436568: Update available operators for XPlugin - BUG#24954006: Add missing items in CHANGES.txt - BUG#24578507: Fix import error using Python 2.6 - BUG#23636962: Fix improper error message when creating a Session - BUG#23568207: Fix default aliases for projection fields - BUG#23567724: Fix operator names - DevAPI: Schema.create_table - DevAPI: Flexible Parameter Lists - DevAPI: New transports: Unix domain socket - DevAPI: Core TLS/SSL options for the mysqlx URI scheme - DevAPI: View DDL with support for partitioning in a cluster / sharding - BUG#24520850: Fix unexpected behavior when using an empty collection name - Add support for Protocol Buffers 3 - Add View support (without DDL) - Implement get_default_schema() method in BaseSchema - DevAPI: Per ReplicaSet SQL execution - DevAPI: XSession accepts a list of routers - DevAPI: Define action on adding empty list of documents - BUG#23729357: Fix fetching BIT datatype - BUG#23583381: Add who_am_i and am_i_real methods to DatabaseObject - BUG#23568257: Add fetch_one method to mysqlx.result - BUG#23550743: Add close method to XSession and NodeSession - BUG#23550057: Add support for URI as connection data - Provide initial implementation of new DevAPI This update was imported from the openSUSE:Leap:15.1:Update update project.
Patchnames
openSUSE-2020-430
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).


To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for python-mysql-connector-python",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for python-mysql-connector-python fixes the following issues:\n\npython-mysql-connector-python was updated to 8.0.19 (boo#1122204 - CVE-2019-2435):\n\n- WL#13531: Remove xplugin namespace\n- WL#13372: DNS SRV support\n- WL#12738: Specify TLS ciphers to be used by a client or session\n- BUG#30270760: Fix reserved filed should have a length of 22\n- BUG#29417117: Close file in handle load data infile\n- WL#13330: Single C/Python (Win) MSI installer\n- WL#13335: Connectors should handle expired password sandbox without SET operations\n- WL#13194: Add support for Python 3.8\n- BUG#29909157: Table scans of floats causes memory leak with the C extension\n- BUG#25349794: Add read_default_file alias for option_files in connect()\n- WL#13155: Support new utf8mb4 bin collation\n- WL#12737: Add overlaps and not_overlaps as operator\n- WL#12735: Add README.rst and CONTRIBUTING.rst files\n- WL#12227: Indexing array fields\n- WL#12085: Support cursor prepared statements with C extension\n- BUG#29855733: Fix error during connection using charset and collation combination\n- BUG#29833590: Calling execute() should fetch active results\n- BUG#21072758: Support for connection attributes classic\n- WL#12864: Upgrade of Protobuf version to 3.6.1\n- WL#12863: Drop support for Django versions older than 1.11\n- WL#12489: Support new session reset functionality\n- WL#12488: Support for session-connect-attributes\n- WL#12297: Expose metadata about the source and binaries\n- WL#12225: Prepared statement support\n- BUG#29324966: Add missing username connection argument for driver compatibility\n- BUG#29278489: Fix wrong user and group for Solaris packages\n- BUG#29001628: Fix access by column label in Table.select()\n- BUG#28479054: Fix Python interpreter crash due to memory corruption\n- BUG#27897881: Empty LONG BLOB throws an IndexError\n- BUG#29260128: Disable load data local infile by default\n- WL#12607: Handling of Default Schema\n- WL#12493: Standardize count method\n- WL#12492: Be prepared for initial notice on connection\n- BUG#28646344: Remove expression parsing on values\n- BUG#28280321: Fix segmentation fault when using unicode characters in tables\n- BUG#27794178: Using use_pure=False should raise an error if cext is not available\n- BUG#27434751: Add a TLS/SSL option to verify server name\n- WL#12239: Add support for Python 3.7\n- WL#12226: Implement connect timeout\n- WL#11897: Implement connection pooling for xprotocol\n- BUG#28278352: C extension mysqlx Collection.add() leaks memory in sequential calls\n- BUG#28037275: Missing bind parameters causes segfault or unclear error message\n- BUG#27528819: Support special characters in the user and password using URI\n- WL#11951: Consolidate discrepancies between pure and c extension\n- WL#11932: Remove Fabric support\n- WL#11898: Core API v1 alignment\n- BUG#28188883: Use utf8mb4 as the default character set\n- BUG#28133321: Fix incorrect columns names representing aggregate functions\n- BUG#27962293: Fix Django 2.0 and MySQL 8.0 compatibility issues\n- BUG#27567999: Fix wrong docstring in ModifyStatement.patch()\n- BUG#27277937: Fix confusing error message when using an unsupported collation\n- BUG#26834200: Deprecate Row.get_string() method\n- BUG#26660624: Fix missing install option in documentation\n- WL#11668: Add SHA256_MEMORY authentication mechanism\n- WL#11614: Enable C extension by default\n- WL#11448: New document _id generation support\n- WL#11282: Support new locking modes NOWAIT and SKIP LOCKED\n- BUG#27639119: Use a list of dictionaries to store warnings\n- BUG#27634885: Update error codes for MySQL 8.0.11\n- BUG#27589450: Remove upsert functionality from WriteStatement class\n- BUG#27528842: Fix internal queries open for SQL injection\n- BUG#27364914: Cursor prepared statements do not convert strings\n- BUG#24953913: Fix failing unittests\n- BUG#24948205: Results from JSON_TYPE() are returned as bytearray\n- BUG#24948186: JSON type results are bytearray instead of corresponding python type\n- WL#11372: Remove configuration API\n- WL#11303: Remove CreateTable and CreateView\n- WL#11281: Transaction savepoints\n- WL#11278: Collection.create_index\n- WL#11149: Create Pylint test for mysqlx\n- WL#11142: Modify/MergePatch\n- WL#11079: Add support for Python 3.6\n- WL#11073: Add caching_sha2_password authentication plugin\n- WL#10975: Add Single document operations\n- WL#10974: Add Row locking methods to find and select operations\n- WL#10973: Allow JSON types as operands for IN operator\n- WL#10899: Add support for pure Python implementation of Protobuf\n- WL#10771: Add SHA256 authentication\n- WL#10053: Configuration handling interface\n- WL#10772: Cleanup Drop APIs\n- WL#10770: Ensure all Session connections are secure by default\n- WL#10754: Forbid modify() and remove() with no condition\n- WL#10659: Support utf8mb4 as default charset\n- WL#10658: Remove concept of NodeSession\n- WL#10657: Move version number to 8.0\n- WL#10198: Add Protobuf C++ extension implementation\n- WL#10004: Document UUID generation\n- BUG#26175003: Fix Session.sql() when using unicode SQL statements with Python 2.7\n- BUG#26161838: Dropping an non-existing index should succeed silently\n- BUG#26160876: Fix issue when using empty condition in Collection.remove() and Table.delete()\n- BUG#26029811: Improve error thrown when using an invalid parameter in bind()\n- BUG#25991574: Fix Collection.remove() and Table.delete() missing filters\n- WL#10452: Add Protobuf C++ extension for Linux variants and Mac OSX\n- WL#10081: DevAPI: IPv6 support\n- BUG#25614860: Fix defined_as method in the view creation\n- BUG#25519251: SelectStatement does not implement order_by() method\n- BUG#25436568: Update available operators for XPlugin\n- BUG#24954006: Add missing items in CHANGES.txt\n- BUG#24578507: Fix import error using Python 2.6\n- BUG#23636962: Fix improper error message when creating a Session\n- BUG#23568207: Fix default aliases for projection fields\n- BUG#23567724: Fix operator names\n- DevAPI: Schema.create_table\n- DevAPI: Flexible Parameter Lists\n- DevAPI: New transports: Unix domain socket\n- DevAPI: Core TLS/SSL options for the mysqlx URI scheme\n- DevAPI: View DDL with support for partitioning in a cluster / sharding\n- BUG#24520850: Fix unexpected behavior when using an empty collection name\n- Add support for Protocol Buffers 3\n- Add View support (without DDL)\n- Implement get_default_schema() method in BaseSchema\n- DevAPI: Per ReplicaSet SQL execution\n- DevAPI: XSession accepts a list of routers\n- DevAPI: Define action on adding empty list of documents\n- BUG#23729357: Fix fetching BIT datatype\n- BUG#23583381: Add who_am_i and am_i_real methods to DatabaseObject\n- BUG#23568257: Add fetch_one method to mysqlx.result\n- BUG#23550743: Add close method to XSession and NodeSession\n- BUG#23550057: Add support for URI as connection data\n- Provide initial implementation of new DevAPI\n\nThis update was imported from the openSUSE:Leap:15.1:Update update project.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2020-430",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_0430-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2020:0430-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4BTZEAGRVVQSZKISXELKWD2G6WKZMR2L/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2020:0430-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4BTZEAGRVVQSZKISXELKWD2G6WKZMR2L/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1122204",
        "url": "https://bugzilla.suse.com/1122204"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-2435 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-2435/"
      }
    ],
    "title": "Security update for python-mysql-connector-python",
    "tracking": {
      "current_release_date": "2020-03-31T13:08:06Z",
      "generator": {
        "date": "2020-03-31T13:08:06Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2020:0430-1",
      "initial_release_date": "2020-03-31T13:08:06Z",
      "revision_history": [
        {
          "date": "2020-03-31T13:08:06Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python2-mysql-connector-python-8.0.19-bp151.4.3.1.noarch",
                "product": {
                  "name": "python2-mysql-connector-python-8.0.19-bp151.4.3.1.noarch",
                  "product_id": "python2-mysql-connector-python-8.0.19-bp151.4.3.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "python3-mysql-connector-python-8.0.19-bp151.4.3.1.noarch",
                "product": {
                  "name": "python3-mysql-connector-python-8.0.19-bp151.4.3.1.noarch",
                  "product_id": "python3-mysql-connector-python-8.0.19-bp151.4.3.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Package Hub 15 SP1",
                "product": {
                  "name": "SUSE Package Hub 15 SP1",
                  "product_id": "SUSE Package Hub 15 SP1"
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python2-mysql-connector-python-8.0.19-bp151.4.3.1.noarch as component of SUSE Package Hub 15 SP1",
          "product_id": "SUSE Package Hub 15 SP1:python2-mysql-connector-python-8.0.19-bp151.4.3.1.noarch"
        },
        "product_reference": "python2-mysql-connector-python-8.0.19-bp151.4.3.1.noarch",
        "relates_to_product_reference": "SUSE Package Hub 15 SP1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-mysql-connector-python-8.0.19-bp151.4.3.1.noarch as component of SUSE Package Hub 15 SP1",
          "product_id": "SUSE Package Hub 15 SP1:python3-mysql-connector-python-8.0.19-bp151.4.3.1.noarch"
        },
        "product_reference": "python3-mysql-connector-python-8.0.19-bp151.4.3.1.noarch",
        "relates_to_product_reference": "SUSE Package Hub 15 SP1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-2435",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-2435"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/Python). Supported versions that are affected are 8.0.13 and prior and 2.1.8 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Connectors accessible data as well as unauthorized access to critical data or complete access to all MySQL Connectors accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N).",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP1:python2-mysql-connector-python-8.0.19-bp151.4.3.1.noarch",
          "SUSE Package Hub 15 SP1:python3-mysql-connector-python-8.0.19-bp151.4.3.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-2435",
          "url": "https://www.suse.com/security/cve/CVE-2019-2435"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1122198 for CVE-2019-2435",
          "url": "https://bugzilla.suse.com/1122198"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1122204 for CVE-2019-2435",
          "url": "https://bugzilla.suse.com/1122204"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP1:python2-mysql-connector-python-8.0.19-bp151.4.3.1.noarch",
            "SUSE Package Hub 15 SP1:python3-mysql-connector-python-8.0.19-bp151.4.3.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.0"
          },
          "products": [
            "SUSE Package Hub 15 SP1:python2-mysql-connector-python-8.0.19-bp151.4.3.1.noarch",
            "SUSE Package Hub 15 SP1:python3-mysql-connector-python-8.0.19-bp151.4.3.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-03-31T13:08:06Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2019-2435"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.