Hello Moritz, could you please reply to the points made below? thanks! On Wed, Feb 27, 2019 at 12:23 AM Sandro Tosi <mo...@debian.org> wrote:
> Hello Moritz, > i'm not sure what kind of input you're expecting from (if at all, and > this RC is mostly for the RT), but i'll reply > > > mysql-connector-python is affected by Oracle's policy of not disclosing > > what security fixes they fix. > > > > CVE-2019-2435 is labeled with a CVSS 8.1/10 score and only fixed in > > 8.x, while the version in stretch (2.1.x) is marked as vulnerable, > > but no 2.1.9 release is available, i.e. we cannot effectively provide > > a fix within stable only 20 months after stretch was released. > > > > This renders mysql-connector-python unsuitable for inclusion in a stable > > release with security support. > > what kind of security support do Debian provide to the mysql server > packages? > > > This leaves us with the following options for buster: > > - There are no reverse dependencies in buster, remove it from testing > > and hope that someone less hostile to the FLOSS community creates a > > fork > > from a quick look (on unstable): > > $ apt-cache rdepends python-mysql.connector > python-mysql.connector > Reverse Depends: > mysql-utilities > mysql-workbench > $ apt-cache rdepends python3-mysql.connector > python3-mysql.connector > Reverse Depends: > openlp > python3-sql > > so some packages, not many, didnt verity if they are in buster atm > > > - Aside from the packaged software and given that this is the only Python > > binding for mysql/mariadb, there's most definitely a sizable number of > > inhouse code using that module. Update src:debian-security-support to > > mark mysql-connector-python as unsupported and add a > README.Debian.security > > which also documents this status within the package itself. > > i think this is up to the security team to decide, no? > > -- > Sandro "morph" Tosi > My website: http://sandrotosi.me/ > Me at Debian: http://wiki.debian.org/SandroTosi > G+: https://plus.google.com/u/0/+SandroTosi > -- Sandro "morph" Tosi My website: http://sandrotosi.me/ Me at Debian: http://wiki.debian.org/SandroTosi G+: https://plus.google.com/u/0/+SandroTosi