Re: Security update of mysql-connector-java
Le 6/07/2016 à 22:12, Markus Koschany a écrit : > Can I go ahead with an upload to jessie-security? Don't forget to fix the regression with Java 8 before uploading (#828836). I can help if necessary. Emmanuel Bourg
Re: Security update of mysql-connector-java
On Wed, Jun 22, 2016 at 06:19:08PM +0200, Markus Koschany wrote: > On 22.06.2016 08:47, Moritz Mühlenhoff wrote: > > On Wed, Jun 22, 2016 at 01:01:14AM +0200, Markus Koschany wrote: > >> On 22.06.2016 00:43, Emmanuel Bourg wrote: > >>> Le 22/06/2016 à 00:28, Markus Koschany a écrit : > >>> > Houston, we have a problem. It seems the latest upstream release > requires Java 8 for building JDBC 4. In Jessie even Java 6 was > sufficient. I suggest we ship version 5.1.34 of mysql-connector-java > instead, which should build fine with Java 6/7 and also fix the security > vulnerability. If there is a better way, please let me know. > >>> > >>> We could also ignore the JDBC 4.2 classes and build with Java 7. If I'm > >>> not mistaken it's just a matter of removing this build step: > >>> > >>> https://sources.debian.net/src/mysql-connector-java/5.1.39-1/build.xml/#L903 > >>> > >>> Emmanuel Bourg > >> > >> That might be a solution. Perhaps we should also disable the testsuite > >> in > >> https://sources.debian.net/src/mysql-connector-java/5.1.39-1/build.xml/#L962 > >> > >> I am not sure if this would prevent all possible runtime errors though. > >> This would require more testing. In any case we have two options: > >> Patching 5.1.39 and make it compatible for Jessie /Wheezy or use 5.1.34 > >> directly. > > > > I'd prefer to make 5.1.39 compatible, there might an additional > > mysql-connector-java > > security issue in the future, for which 5.1.34 will be insufficient and > > then we > > already have the java 7 compat sorted out. > > Yup, but new vulnerabilities could well have been introduced after > 5.1.34, thus we will never really know in advance, what approach had > saved us more time. > > I have pushed my update for Jessie, 5.1.39-1~deb8u1, to > > https://anonscm.debian.org/cgit/pkg-java/mysql-connector-java.git/log/?h=jessie-security > > The debdiff is huge so I didn't bother to attach it to this e-mail. > > I have rebuilt all reverse build-dependencies successfully. I have also > used the library to connect to a local mysql database. I couldn't spot > obvious regressions but I would appreciate it if more people tested the > new version. Sorry for the late reply. Please upload, I'll take care of the update. Cheers, Moritz
Re: Security update of mysql-connector-java
On 22.06.2016 18:19, Markus Koschany wrote: > On 22.06.2016 08:47, Moritz Mühlenhoff wrote: >> On Wed, Jun 22, 2016 at 01:01:14AM +0200, Markus Koschany wrote: >>> On 22.06.2016 00:43, Emmanuel Bourg wrote: Le 22/06/2016 à 00:28, Markus Koschany a écrit : > Houston, we have a problem. It seems the latest upstream release > requires Java 8 for building JDBC 4. In Jessie even Java 6 was > sufficient. I suggest we ship version 5.1.34 of mysql-connector-java > instead, which should build fine with Java 6/7 and also fix the security > vulnerability. If there is a better way, please let me know. We could also ignore the JDBC 4.2 classes and build with Java 7. If I'm not mistaken it's just a matter of removing this build step: https://sources.debian.net/src/mysql-connector-java/5.1.39-1/build.xml/#L903 Emmanuel Bourg >>> >>> That might be a solution. Perhaps we should also disable the testsuite >>> in >>> https://sources.debian.net/src/mysql-connector-java/5.1.39-1/build.xml/#L962 >>> >>> I am not sure if this would prevent all possible runtime errors though. >>> This would require more testing. In any case we have two options: >>> Patching 5.1.39 and make it compatible for Jessie /Wheezy or use 5.1.34 >>> directly. >> >> I'd prefer to make 5.1.39 compatible, there might an additional >> mysql-connector-java >> security issue in the future, for which 5.1.34 will be insufficient and then >> we >> already have the java 7 compat sorted out. > > Yup, but new vulnerabilities could well have been introduced after > 5.1.34, thus we will never really know in advance, what approach had > saved us more time. > > I have pushed my update for Jessie, 5.1.39-1~deb8u1, to > > https://anonscm.debian.org/cgit/pkg-java/mysql-connector-java.git/log/?h=jessie-security > > The debdiff is huge so I didn't bother to attach it to this e-mail. > > I have rebuilt all reverse build-dependencies successfully. I have also > used the library to connect to a local mysql database. I couldn't spot > obvious regressions but I would appreciate it if more people tested the > new version. *ping* Can I go ahead with an upload to jessie-security? Regards, Markus signature.asc Description: OpenPGP digital signature
Re: Security update of mysql-connector-java
On 22.06.2016 08:47, Moritz Mühlenhoff wrote: > On Wed, Jun 22, 2016 at 01:01:14AM +0200, Markus Koschany wrote: >> On 22.06.2016 00:43, Emmanuel Bourg wrote: >>> Le 22/06/2016 à 00:28, Markus Koschany a écrit : >>> Houston, we have a problem. It seems the latest upstream release requires Java 8 for building JDBC 4. In Jessie even Java 6 was sufficient. I suggest we ship version 5.1.34 of mysql-connector-java instead, which should build fine with Java 6/7 and also fix the security vulnerability. If there is a better way, please let me know. >>> >>> We could also ignore the JDBC 4.2 classes and build with Java 7. If I'm >>> not mistaken it's just a matter of removing this build step: >>> >>> https://sources.debian.net/src/mysql-connector-java/5.1.39-1/build.xml/#L903 >>> >>> Emmanuel Bourg >> >> That might be a solution. Perhaps we should also disable the testsuite >> in >> https://sources.debian.net/src/mysql-connector-java/5.1.39-1/build.xml/#L962 >> >> I am not sure if this would prevent all possible runtime errors though. >> This would require more testing. In any case we have two options: >> Patching 5.1.39 and make it compatible for Jessie /Wheezy or use 5.1.34 >> directly. > > I'd prefer to make 5.1.39 compatible, there might an additional > mysql-connector-java > security issue in the future, for which 5.1.34 will be insufficient and then > we > already have the java 7 compat sorted out. Yup, but new vulnerabilities could well have been introduced after 5.1.34, thus we will never really know in advance, what approach had saved us more time. I have pushed my update for Jessie, 5.1.39-1~deb8u1, to https://anonscm.debian.org/cgit/pkg-java/mysql-connector-java.git/log/?h=jessie-security The debdiff is huge so I didn't bother to attach it to this e-mail. I have rebuilt all reverse build-dependencies successfully. I have also used the library to connect to a local mysql database. I couldn't spot obvious regressions but I would appreciate it if more people tested the new version. Regards, Markus signature.asc Description: OpenPGP digital signature
Re: Security update of mysql-connector-java
On Wed, Jun 22, 2016 at 01:01:14AM +0200, Markus Koschany wrote: > On 22.06.2016 00:43, Emmanuel Bourg wrote: > > Le 22/06/2016 à 00:28, Markus Koschany a écrit : > > > >> Houston, we have a problem. It seems the latest upstream release > >> requires Java 8 for building JDBC 4. In Jessie even Java 6 was > >> sufficient. I suggest we ship version 5.1.34 of mysql-connector-java > >> instead, which should build fine with Java 6/7 and also fix the security > >> vulnerability. If there is a better way, please let me know. > > > > We could also ignore the JDBC 4.2 classes and build with Java 7. If I'm > > not mistaken it's just a matter of removing this build step: > > > > https://sources.debian.net/src/mysql-connector-java/5.1.39-1/build.xml/#L903 > > > > Emmanuel Bourg > > That might be a solution. Perhaps we should also disable the testsuite > in > https://sources.debian.net/src/mysql-connector-java/5.1.39-1/build.xml/#L962 > > I am not sure if this would prevent all possible runtime errors though. > This would require more testing. In any case we have two options: > Patching 5.1.39 and make it compatible for Jessie /Wheezy or use 5.1.34 > directly. I'd prefer to make 5.1.39 compatible, there might an additional mysql-connector-java security issue in the future, for which 5.1.34 will be insufficient and then we already have the java 7 compat sorted out. Cheers, Moritz
Re: Security update of mysql-connector-java
On 22.06.2016 00:43, Emmanuel Bourg wrote: > Le 22/06/2016 à 00:28, Markus Koschany a écrit : > >> Houston, we have a problem. It seems the latest upstream release >> requires Java 8 for building JDBC 4. In Jessie even Java 6 was >> sufficient. I suggest we ship version 5.1.34 of mysql-connector-java >> instead, which should build fine with Java 6/7 and also fix the security >> vulnerability. If there is a better way, please let me know. > > We could also ignore the JDBC 4.2 classes and build with Java 7. If I'm > not mistaken it's just a matter of removing this build step: > > https://sources.debian.net/src/mysql-connector-java/5.1.39-1/build.xml/#L903 > > Emmanuel Bourg That might be a solution. Perhaps we should also disable the testsuite in https://sources.debian.net/src/mysql-connector-java/5.1.39-1/build.xml/#L962 I am not sure if this would prevent all possible runtime errors though. This would require more testing. In any case we have two options: Patching 5.1.39 and make it compatible for Jessie /Wheezy or use 5.1.34 directly. Markus signature.asc Description: OpenPGP digital signature
Re: Security update of mysql-connector-java
Le 22/06/2016 à 00:28, Markus Koschany a écrit : > Houston, we have a problem. It seems the latest upstream release > requires Java 8 for building JDBC 4. In Jessie even Java 6 was > sufficient. I suggest we ship version 5.1.34 of mysql-connector-java > instead, which should build fine with Java 6/7 and also fix the security > vulnerability. If there is a better way, please let me know. We could also ignore the JDBC 4.2 classes and build with Java 7. If I'm not mistaken it's just a matter of removing this build step: https://sources.debian.net/src/mysql-connector-java/5.1.39-1/build.xml/#L903 Emmanuel Bourg
Re: Security update of mysql-connector-java
On 20.06.2016 19:41, Markus Koschany wrote: > On 20.06.2016 19:38, Moritz Muehlenhoff wrote: >> On Mon, Jun 20, 2016 at 06:48:58PM +0200, Markus Koschany wrote: >>> Hello, >>> >>> I am thinking about to upgrade mysql-connector-java to the latest stable >>> version in Wheezy and Jessie to address >>> >>> https://security-tracker.debian.org/tracker/CVE-2015-2575 >>> >>> As usual Oracle does not provide concrete information about the >>> vulnerability or a patch for older versions. On the other hand it is >>> claimed that the issue is difficult to exploit, probably because users >>> need to be authenticated. But without further information I rather >>> hesitate to mark this CVE as a minor issue. Any thoughts? >> >> Agreed. I already discussed briefly with ebourg who suggested the same. >> >> Can you prepare an update for jessie-security? >> >> Cheers, >> Moritz > > Yes, I will do so tomorrow. Houston, we have a problem. It seems the latest upstream release requires Java 8 for building JDBC 4. In Jessie even Java 6 was sufficient. I suggest we ship version 5.1.34 of mysql-connector-java instead, which should build fine with Java 6/7 and also fix the security vulnerability. If there is a better way, please let me know. Regards, Markus signature.asc Description: OpenPGP digital signature
Re: Security update of mysql-connector-java
On 20.06.2016 19:38, Moritz Muehlenhoff wrote: > On Mon, Jun 20, 2016 at 06:48:58PM +0200, Markus Koschany wrote: >> Hello, >> >> I am thinking about to upgrade mysql-connector-java to the latest stable >> version in Wheezy and Jessie to address >> >> https://security-tracker.debian.org/tracker/CVE-2015-2575 >> >> As usual Oracle does not provide concrete information about the >> vulnerability or a patch for older versions. On the other hand it is >> claimed that the issue is difficult to exploit, probably because users >> need to be authenticated. But without further information I rather >> hesitate to mark this CVE as a minor issue. Any thoughts? > > Agreed. I already discussed briefly with ebourg who suggested the same. > > Can you prepare an update for jessie-security? > > Cheers, > Moritz Yes, I will do so tomorrow. Regards, Markus signature.asc Description: OpenPGP digital signature
Re: Security update of mysql-connector-java
On Mon, Jun 20, 2016 at 06:48:58PM +0200, Markus Koschany wrote: > Hello, > > I am thinking about to upgrade mysql-connector-java to the latest stable > version in Wheezy and Jessie to address > > https://security-tracker.debian.org/tracker/CVE-2015-2575 > > As usual Oracle does not provide concrete information about the > vulnerability or a patch for older versions. On the other hand it is > claimed that the issue is difficult to exploit, probably because users > need to be authenticated. But without further information I rather > hesitate to mark this CVE as a minor issue. Any thoughts? Agreed. I already discussed briefly with ebourg who suggested the same. Can you prepare an update for jessie-security? Cheers, Moritz