Vulnerability from csaf_opensuse
Published
2024-11-06 17:13
Modified
2024-11-06 17:13
Summary
Security update for python-mysql-connector-python
Notes
Title of the patch
Security update for python-mysql-connector-python
Description of the patch
This update for python-mysql-connector-python fixes the following issues:
- Update to 9.1.0 (boo#1231740, CVE-2024-21272)
- WL#16452: Bundle all installable authentication plugins when building the C-extension
- WL#16444: Drop build support for DEB packages
- WL#16442: Upgrade gssapi version to 1.8.3
- WL#16411: Improve wheel metadata information for Classic and XDevAPI connectors
- WL#16341: OpenID Connect (Oauth2 - JWT) Authentication Support
- WL#16307: Remove Python 3.8 support
- WL#16306: Add support for Python 3.13
- BUG#37055435: Connection fails during the TLS negotiation when specifying TLSv1.3 ciphers
- BUG#37013057: mysql-connector-python Parameterized query SQL injection
- BUG#36765200: python mysql connector 8.3.0 raise %-.100s:%u when input a wrong host
- BUG#36577957: Update charset/collation description indicate this is 16 bits
- 9.0.0:
- WL#16350: Update dnspython version
- WL#16318: Deprecate Cursors Prepared Raw and Named Tuple
- WL#16284: Update the Python Protobuf version
- WL#16283: Remove OpenTelemetry Bundled Installation
- BUG#36664998: Packets out of order error is raised while changing user in aio
- BUG#36611371: Update dnspython required versions to allow latest 2.6.1
- BUG#36570707: Collation set on connect using C-Extension is ignored
- BUG#36476195: Incorrect escaping in pure Python mode if sql_mode includes NO_BACKSLASH_ESCAPES
- BUG#36289767: MySQLCursorBufferedRaw does not skip conversion
- 8.4.0
- WL#16203: GPL License Exception Update
- WL#16173: Update allowed cipher and cipher-suite lists
- WL#16164: Implement support for new vector data type
- WL#16127: Remove the FIDO authentication mechanism
- WL#16053: Support GSSAPI/Kerberos authentication on Windows using authentication_ldap_sasl_client plug-in for C-extension
- BUG#36227964: Improve OpenTelemetry span coverage
- BUG#36167880: Massive memory leak mysqlx native Protobuf adding to collection
- 8.3.0
- WL#16015: Remove use of removed COM_ commands
- WL#15985: Support GSSAPI/Kerberos authentication on Windows using authentication_ldap_sasl_client plug-in for Pure Python
- WL#15983: Stop using mysql_ssl_set api
- WL#15982: Remove use of mysql_shutdown
- WL#15950: Support query parameters for prepared statements
- WL#15942: Improve type hints and standardize byte type handling
- WL#15836: Split mysql and mysqlx into different packages
- WL#15523: Support Python DB API asynchronous execution
- BUG#35912790: Binary strings are converted when using prepared statements
- BUG#35832148: Fix Django timezone.utc deprecation warning
- BUG#35710145: Bad MySQLCursor.statement and result when query text contains code comments
- BUG#21390859: STATEMENTS GET OUT OF SYNCH WITH RESULT SETS
Patchnames
openSUSE-2024-351
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for python-mysql-connector-python", title: "Title of the patch", }, { category: "description", text: "This update for python-mysql-connector-python fixes the following issues:\n\n- Update to 9.1.0 (boo#1231740, CVE-2024-21272)\n - WL#16452: Bundle all installable authentication plugins when building the C-extension\n - WL#16444: Drop build support for DEB packages\n - WL#16442: Upgrade gssapi version to 1.8.3\n - WL#16411: Improve wheel metadata information for Classic and XDevAPI connectors\n - WL#16341: OpenID Connect (Oauth2 - JWT) Authentication Support\n - WL#16307: Remove Python 3.8 support\n - WL#16306: Add support for Python 3.13\n - BUG#37055435: Connection fails during the TLS negotiation when specifying TLSv1.3 ciphers\n - BUG#37013057: mysql-connector-python Parameterized query SQL injection\n - BUG#36765200: python mysql connector 8.3.0 raise %-.100s:%u when input a wrong host\n - BUG#36577957: Update charset/collation description indicate this is 16 bits\n- 9.0.0:\n - WL#16350: Update dnspython version\n - WL#16318: Deprecate Cursors Prepared Raw and Named Tuple\n - WL#16284: Update the Python Protobuf version\n - WL#16283: Remove OpenTelemetry Bundled Installation\n - BUG#36664998: Packets out of order error is raised while changing user in aio\n - BUG#36611371: Update dnspython required versions to allow latest 2.6.1\n - BUG#36570707: Collation set on connect using C-Extension is ignored\n - BUG#36476195: Incorrect escaping in pure Python mode if sql_mode includes NO_BACKSLASH_ESCAPES\n - BUG#36289767: MySQLCursorBufferedRaw does not skip conversion\n- 8.4.0\n - WL#16203: GPL License Exception Update\n - WL#16173: Update allowed cipher and cipher-suite lists\n - WL#16164: Implement support for new vector data type\n - WL#16127: Remove the FIDO authentication mechanism\n - WL#16053: Support GSSAPI/Kerberos authentication on Windows using authentication_ldap_sasl_client plug-in for C-extension\n - BUG#36227964: Improve OpenTelemetry span coverage\n - BUG#36167880: Massive memory leak mysqlx native Protobuf adding to collection\n- 8.3.0\n - WL#16015: Remove use of removed COM_ commands\n - WL#15985: Support GSSAPI/Kerberos authentication on Windows using authentication_ldap_sasl_client plug-in for Pure Python\n - WL#15983: Stop using mysql_ssl_set api\n - WL#15982: Remove use of mysql_shutdown\n - WL#15950: Support query parameters for prepared statements\n - WL#15942: Improve type hints and standardize byte type handling\n - WL#15836: Split mysql and mysqlx into different packages\n - WL#15523: Support Python DB API asynchronous execution\n - BUG#35912790: Binary strings are converted when using prepared statements\n - BUG#35832148: Fix Django timezone.utc deprecation warning\n - BUG#35710145: Bad MySQLCursor.statement and result when query text contains code comments\n - BUG#21390859: STATEMENTS GET OUT OF SYNCH WITH RESULT SETS\n", title: "Description of the patch", }, { category: "details", text: "openSUSE-2024-351", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_0351-1.json", }, { category: "self", summary: "URL for openSUSE-SU-2024:0351-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/A4QYWY7IAP4RFAA3R6QMK3Q6FFAY4UOZ/", }, { category: "self", summary: "E-Mail link for openSUSE-SU-2024:0351-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/A4QYWY7IAP4RFAA3R6QMK3Q6FFAY4UOZ/", }, { category: "self", summary: "SUSE Bug 1231740", url: "https://bugzilla.suse.com/1231740", }, { category: "self", summary: "SUSE CVE CVE-2024-21272 page", url: "https://www.suse.com/security/cve/CVE-2024-21272/", }, ], title: "Security update for python-mysql-connector-python", tracking: { current_release_date: "2024-11-06T17:13:19Z", generator: { date: "2024-11-06T17:13:19Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2024:0351-1", initial_release_date: "2024-11-06T17:13:19Z", revision_history: [ { date: "2024-11-06T17:13:19Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.aarch64", product: { name: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.aarch64", product_id: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.i586", product: { name: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.i586", product_id: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.i586", }, }, ], category: "architecture", name: "i586", }, { branches: [ { category: "product_version", name: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.ppc64le", product: { name: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.ppc64le", product_id: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.s390x", product: { name: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.s390x", product_id: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.x86_64", product: { name: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.x86_64", product_id: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "SUSE Package Hub 15 SP5", product: { name: "SUSE Package Hub 15 SP5", product_id: "SUSE Package Hub 15 SP5", }, }, { category: "product_name", name: "openSUSE Leap 15.5", product: { name: "openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5", product_identification_helper: { cpe: "cpe:/o:opensuse:leap:15.5", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.aarch64 as component of SUSE Package Hub 15 SP5", product_id: "SUSE Package Hub 15 SP5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.aarch64", }, product_reference: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.aarch64", relates_to_product_reference: "SUSE Package Hub 15 SP5", }, { category: "default_component_of", full_product_name: { name: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.i586 as component of SUSE Package Hub 15 SP5", product_id: "SUSE Package Hub 15 SP5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.i586", }, product_reference: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.i586", relates_to_product_reference: "SUSE Package Hub 15 SP5", }, { category: "default_component_of", full_product_name: { name: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.ppc64le as component of SUSE Package Hub 15 SP5", product_id: "SUSE Package Hub 15 SP5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.ppc64le", }, product_reference: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.ppc64le", relates_to_product_reference: "SUSE Package Hub 15 SP5", }, { category: "default_component_of", full_product_name: { name: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.s390x as component of SUSE Package Hub 15 SP5", product_id: "SUSE Package Hub 15 SP5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.s390x", }, product_reference: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.s390x", relates_to_product_reference: "SUSE Package Hub 15 SP5", }, { category: "default_component_of", full_product_name: { name: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.x86_64 as component of SUSE Package Hub 15 SP5", product_id: "SUSE Package Hub 15 SP5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.x86_64", }, product_reference: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.x86_64", relates_to_product_reference: "SUSE Package Hub 15 SP5", }, { category: "default_component_of", full_product_name: { name: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.aarch64 as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.aarch64", }, product_reference: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.aarch64", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.i586 as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.i586", }, product_reference: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.i586", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.ppc64le as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.ppc64le", }, product_reference: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.ppc64le", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.s390x as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.s390x", }, product_reference: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.s390x", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.x86_64 as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.x86_64", }, product_reference: "python3-mysql-connector-python-9.1.0-bp155.3.3.1.x86_64", relates_to_product_reference: "openSUSE Leap 15.5", }, ], }, vulnerabilities: [ { cve: "CVE-2024-21272", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-21272", }, ], notes: [ { category: "general", text: "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/Python). Supported versions that are affected are 9.0.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.aarch64", "SUSE Package Hub 15 SP5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.i586", "SUSE Package Hub 15 SP5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.ppc64le", "SUSE Package Hub 15 SP5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.s390x", "SUSE Package Hub 15 SP5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.x86_64", "openSUSE Leap 15.5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.aarch64", "openSUSE Leap 15.5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.i586", "openSUSE Leap 15.5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.ppc64le", "openSUSE Leap 15.5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.s390x", "openSUSE Leap 15.5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2024-21272", url: "https://www.suse.com/security/cve/CVE-2024-21272", }, { category: "external", summary: "SUSE Bug 1231740 for CVE-2024-21272", url: "https://bugzilla.suse.com/1231740", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.aarch64", "SUSE Package Hub 15 SP5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.i586", "SUSE Package Hub 15 SP5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.ppc64le", "SUSE Package Hub 15 SP5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.s390x", "SUSE Package Hub 15 SP5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.x86_64", "openSUSE Leap 15.5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.aarch64", "openSUSE Leap 15.5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.i586", "openSUSE Leap 15.5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.ppc64le", "openSUSE Leap 15.5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.s390x", "openSUSE Leap 15.5:python3-mysql-connector-python-9.1.0-bp155.3.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-11-06T17:13:19Z", details: "important", }, ], title: "CVE-2024-21272", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.