SUSE-SU-2023:2241-1: moderate: Security update for mysql-connector-java
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Thu May 18 08:30:05 UTC 2023
# Security update for mysql-connector-java
Announcement ID: SUSE-SU-2023:2241-1
Rating: moderate
References:
* #1211247
Cross-References:
* CVE-2023-21971
CVSS scores:
* CVE-2023-21971 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H
* CVE-2023-21971 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H
Affected Products:
* openSUSE Leap 15.4
An update that solves one vulnerability and contains one feature can now be
installed.
## Description:
This update for mysql-connector-java fixes the following issues:
* CVE-2023-21971: Fixed a crash in MySQL Connectors that could be triggered by
an authenticated remote user (bsc#1211247).
* Ship protobuf 3.9.2 compatible generated files to support older distro
versions.
* Update to 8.0.32:
* MysqlDataSource fails to URL encode database name when constructing JDBC
URL.
* serverSideStatementCache ignores resultSetType.
* UpdatableResultSet does not properly handle unsigned primary key.
* Connector/J 8 query with explain can not return ResultRow.
* Add support to row alias on INSERT... ON DUPLICATE KEY UPDATE on batch mode.
* connectionCollation ignored if characterEncoding is set.
* Connector/J rejects UNION with CTE.
* Malformed packet generation for `COM_STMT_EXECUTE`.
* Connector/J client hangs after prepare & execute process with old version
server.
* Contribution: Fix name of relocation POM file.
* Contribution: [PATCH] Remove superfluous use of boxing.
* Contribution: Recognize "ON DUPLICATE KEY UPDATE" in "INSERT SET" Statement.
* RPM and DEB builds broken after introducing javadoc for maven bundles.
* Sonatype compliant POM and maven bundles.
* Upgrade 3rd party libraries and tools.
* Upgrade Protocol Buffers dependency to protobuf-java-3.21.9.
* As Oracle renamed the package to "mysql-connector-j", we are "providing"
both names for now, but the package has to be renamed to accommodate the
change because the old name will be deprecated at some point in the future
without further notice.
* Update to 8.0.31:
Functionality Added or Changed
* Important Change: To comply with proper naming guidelines, the
Maven groupId and artifactId for Connector/J have been changed
to the following starting with this release:
groupId: com.mysql
artifactId: mysql-connector-j
* The old groupId and artifactId can still be used for linking
the Connector/J library, but they will point to a Maven
relocation POM, redirecting users to the new coordinates.
Please switch to the new coordinates as soon as possible, as
the old coordinates could be discontinued anytime without
notice. See Installing Connector/J Using Maven.
* Also, to go with these changes, the .jar library for
Connector/J has been renamed to mysql-connector-j-x.y.z for
all channels of distribution by Oracle, not just the Maven
repository.
* Before release 8.0.29, Connector/J always interpolated byte
arrays as hexadecimal literals when obtaining a prepared
statement's string representation by the toString() method.
Since 8.0.29, all byte array values were displayed as
** BYTE ARRAY DATA ** when converted to strings. The same is
also true for null values.
* To allow different ways to display byte array data and null
values, a new connection property, maxByteArrayAsHex, has been
introduced: byte arrays shorter than the value of
maxByteArrayAsHex are now shown as hexadecimal literals like
before release 8.0.29. Any byte arrays longer than this value
are interpolated generically as ** BYTE ARRAY DATA **.
Bugs Fixed
* X DevAPI: When parsing a string into a JSON string, some
escape character sequences were not parsed properly, causing
the Server to throw a com.mysql.cj.exceptions.WrongArgumentException
when receiving the JSON value. This fix ensures that escape
sequences are handled properly.
* X DevAPI: When using the modify() method on JSON documents,
any backslashes inside a literal to be used for the modification
were lost. This fix corrects the mistakes in the expression
parser that caused the issue.
* Executing a PreparedStatment after applying setFetchSize(0) on
it caused an ArrayIndexOutOfBoundsException.
* Due to some old limitations, when used with Java applets,
Connector/J found out the default character set on a system by
various workarounds like reading the system property
file.encoding, using an OutpuStreamWriter, etc. With this fix,
Connector/J now uses Charset.defaultCharset(), the standard
method for the purpose.
* Update to 8.0.30:
Functionality Added or Changed
* X DevAPI: For document-modifying methods that are chained
after modify() and take a document path expression as one of
its arguments (that is, set(), unset(), arrayInsert(),
arrayAppend()), Connector/J now throws an error when the
document path is empty or is a null string.
Bugs Fixed
* Historically, MySQL Server has used utf8 as an alias for
utf8mb3. Since release 8.0.29, utf8mb3 has become a recognized
(though deprecated) character set on its own for MySQL Server
and to make things consistent, in release 8.0.30, any
collations prefixed with utf8_ are now prefixed with utf8mb3_
instead. To go with that change, Connector/J has updated its
character set and collation mapping accordingly in this
release, and users are encouraged to update to Connector/J
8.0.30 to avoid potential issues when working with MySQL
Server 8.0.30 or later.
* A few links in the CONTRIBUTING.md file in the distribution
packages were broken. They have now been fixed or removed.
* The description for the connection property
rewriteBatchedStatements has been corrected, removing the
limitation that server-sided prepared statements could not
take advantage of the rewrite option.
* A spelling error has been fixed in the source file for the
PropertyDefinitions class. Thanks to Weijie Wu for
contributing the fix.
* DatabaseMetaData.getTypeInfo always returned false for
AUTO_INCREMENT for all data types. With this fix, Connector/J
returns the correct value for each data type. Also, the
missing types DOUBLE UNSIGNED and DOUBLE PRECISION UNSIGNED
have been added to the ResultSet.
* Contrary to the the MySQL requirement for comments,
Connector/J did not require a whitespace (or a control
character such as a newline) after "--" to mark the beginning
of a comment within a SQL statement. This fix aligns
Connector/J with the MySQL requirement.
## Patch Instructions:
To install this SUSE Moderate update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap 15.4
zypper in -t patch openSUSE-SLE-15.4-2023-2241=1
## Package List:
* openSUSE Leap 15.4 (noarch)
* mysql-connector-java-8.0.32-150200.3.15.1
## References:
* https://www.suse.com/security/cve/CVE-2023-21971.html
* https://bugzilla.suse.com/show_bug.cgi?id=1211247
* https://jira.suse.com/browse/SLE-23217
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20230518/17e20c1f/attachment.htm>
More information about the sle-security-updates
mailing list