SUSE-SU-2023:2241-1: moderate: Security update for mysql-connector-java

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Thu May 18 08:30:05 UTC 2023



# Security update for mysql-connector-java

Announcement ID: SUSE-SU-2023:2241-1  
Rating: moderate  
References:

  * #1211247

  
Cross-References:

  * CVE-2023-21971

  
CVSS scores:

  * CVE-2023-21971 ( SUSE ):  5.3 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H
  * CVE-2023-21971 ( NVD ):  5.3 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H

  
Affected Products:

  * openSUSE Leap 15.4

  
  
An update that solves one vulnerability and contains one feature can now be
installed.

## Description:

This update for mysql-connector-java fixes the following issues:

  * CVE-2023-21971: Fixed a crash in MySQL Connectors that could be triggered by
    an authenticated remote user (bsc#1211247).

  * Ship protobuf 3.9.2 compatible generated files to support older distro
    versions.

  * Update to 8.0.32:

  * MysqlDataSource fails to URL encode database name when constructing JDBC
    URL.

  * serverSideStatementCache ignores resultSetType.
  * UpdatableResultSet does not properly handle unsigned primary key.
  * Connector/J 8 query with explain can not return ResultRow.
  * Add support to row alias on INSERT... ON DUPLICATE KEY UPDATE on batch mode.
  * connectionCollation ignored if characterEncoding is set.
  * Connector/J rejects UNION with CTE.
  * Malformed packet generation for `COM_STMT_EXECUTE`.
  * Connector/J client hangs after prepare & execute process with old version
    server.
  * Contribution: Fix name of relocation POM file.
  * Contribution: [PATCH] Remove superfluous use of boxing.
  * Contribution: Recognize "ON DUPLICATE KEY UPDATE" in "INSERT SET" Statement.
  * RPM and DEB builds broken after introducing javadoc for maven bundles.
  * Sonatype compliant POM and maven bundles.
  * Upgrade 3rd party libraries and tools.
  * Upgrade Protocol Buffers dependency to protobuf-java-3.21.9.

  * As Oracle renamed the package to "mysql-connector-j", we are "providing"
    both names for now, but the package has to be renamed to accommodate the
    change because the old name will be deprecated at some point in the future
    without further notice.

  * Update to 8.0.31:

Functionality Added or Changed

    
    
    * Important Change: To comply with proper naming guidelines, the
      Maven groupId and artifactId for Connector/J have been changed
      to the following starting with this release:
        groupId: com.mysql
        artifactId: mysql-connector-j
    * The old groupId and artifactId can still be used for linking 
      the Connector/J library, but they will point to a Maven 
      relocation POM, redirecting users to the new coordinates. 
      Please switch to the new coordinates as soon as possible, as 
      the old coordinates could be discontinued anytime without 
      notice. See Installing Connector/J Using Maven.
    * Also, to go with these changes, the .jar library for 
      Connector/J has been renamed to mysql-connector-j-x.y.z for 
      all channels of distribution by Oracle, not just the Maven 
      repository.
    * Before release 8.0.29, Connector/J always interpolated byte
      arrays as hexadecimal literals when obtaining a prepared 
      statement's string representation by the toString() method. 
      Since 8.0.29, all byte array values were displayed as 
      ** BYTE ARRAY DATA ** when converted to strings. The same is 
      also true for null values.
    * To allow different ways to display byte array data and null 
      values, a new connection property, maxByteArrayAsHex, has been
      introduced: byte arrays shorter than the value of 
      maxByteArrayAsHex are now shown as hexadecimal literals like
      before release 8.0.29. Any byte arrays longer than this value
      are interpolated generically as ** BYTE ARRAY DATA **.
    

Bugs Fixed

    
    
    * X DevAPI: When parsing a string into a JSON string, some 
      escape character sequences were not parsed properly, causing 
      the Server to throw a com.mysql.cj.exceptions.WrongArgumentException 
      when receiving the JSON value. This fix ensures that escape 
      sequences are handled properly.
    * X DevAPI: When using the modify() method on JSON documents, 
      any backslashes inside a literal to be used for the modification 
      were lost. This fix corrects the mistakes in the expression 
      parser that caused the issue.
    * Executing a PreparedStatment after applying setFetchSize(0) on
      it caused an ArrayIndexOutOfBoundsException.
    * Due to some old limitations, when used with Java applets, 
      Connector/J found out the default character set on a system by
      various workarounds like reading the system property 
      file.encoding, using an OutpuStreamWriter, etc. With this fix,
      Connector/J now uses Charset.defaultCharset(), the standard
      method for the purpose.
    

  * Update to 8.0.30:

Functionality Added or Changed

    
    
    * X DevAPI: For document-modifying methods that are chained 
      after modify() and take a document path expression as one of
      its arguments (that is, set(), unset(), arrayInsert(),
      arrayAppend()), Connector/J now throws an error when the
      document path is empty or is a null string.
    

Bugs Fixed

    
    
    * Historically, MySQL Server has used utf8 as an alias for 
      utf8mb3. Since release 8.0.29, utf8mb3 has become a recognized
      (though deprecated) character set on its own for MySQL Server
      and to make things consistent, in release 8.0.30, any 
      collations prefixed with utf8_ are now prefixed with utf8mb3_ 
      instead. To go with that change, Connector/J has updated its
      character set and collation mapping accordingly in this
      release, and users are encouraged to update to Connector/J 
      8.0.30 to avoid potential issues when working with MySQL 
      Server 8.0.30 or later.
    * A few links in the CONTRIBUTING.md file in the distribution
      packages were broken. They have now been fixed or removed.
    * The description for the connection property
      rewriteBatchedStatements has been corrected, removing the
      limitation that server-sided prepared statements could not
      take advantage of the rewrite option.
    * A spelling error has been fixed in the source file for the
      PropertyDefinitions class. Thanks to Weijie Wu for 
      contributing the fix.
    * DatabaseMetaData.getTypeInfo always returned false for
      AUTO_INCREMENT for all data types. With this fix, Connector/J
      returns the correct value for each data type. Also, the
      missing types DOUBLE UNSIGNED and DOUBLE PRECISION UNSIGNED
      have been added to the ResultSet.
    * Contrary to the the MySQL requirement for comments, 
      Connector/J did not require a whitespace (or a control
      character such as a newline) after "--" to mark the beginning
      of a comment within a SQL statement. This fix aligns
      Connector/J with the MySQL requirement.
    

## Patch Instructions:

To install this SUSE Moderate update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * openSUSE Leap 15.4  
    zypper in -t patch openSUSE-SLE-15.4-2023-2241=1

## Package List:

  * openSUSE Leap 15.4 (noarch)
    * mysql-connector-java-8.0.32-150200.3.15.1

## References:

  * https://www.suse.com/security/cve/CVE-2023-21971.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1211247
  * https://jira.suse.com/browse/SLE-23217

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20230518/17e20c1f/attachment.htm>


More information about the sle-security-updates mailing list