openSUSE Security Update: Security update for python-mysql-connector-python
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2020:0430-1
Rating:             moderate
References:         #1122204 
Cross-References:   CVE-2019-2435
Affected Products:
                    openSUSE Backports SLE-15-SP1
______________________________________________________________________________

   An update that fixes one vulnerability is now available.

Description:

   This update for python-mysql-connector-python fixes the following issues:

   python-mysql-connector-python was updated to 8.0.19 (boo#1122204 -
   CVE-2019-2435):

   - WL#13531: Remove xplugin namespace
   - WL#13372: DNS SRV support
   - WL#12738: Specify TLS ciphers to be used by a client or session
   - BUG#30270760: Fix reserved filed should have a length of 22
   - BUG#29417117: Close file in handle load data infile
   - WL#13330: Single C/Python (Win) MSI installer
   - WL#13335: Connectors should handle expired password sandbox without SET
     operations
   - WL#13194: Add support for Python 3.8
   - BUG#29909157: Table scans of floats causes memory leak with the C
     extension
   - BUG#25349794: Add read_default_file alias for option_files in connect()
   - WL#13155: Support new utf8mb4 bin collation
   - WL#12737: Add overlaps and not_overlaps as operator
   - WL#12735: Add README.rst and CONTRIBUTING.rst files
   - WL#12227: Indexing array fields
   - WL#12085: Support cursor prepared statements with C extension
   - BUG#29855733: Fix error during connection using charset and collation
     combination
   - BUG#29833590: Calling execute() should fetch active results
   - BUG#21072758: Support for connection attributes classic
   - WL#12864: Upgrade of Protobuf version to 3.6.1
   - WL#12863: Drop support for Django versions older than 1.11
   - WL#12489: Support new session reset functionality
   - WL#12488: Support for session-connect-attributes
   - WL#12297: Expose metadata about the source and binaries
   - WL#12225: Prepared statement support
   - BUG#29324966: Add missing username connection argument for driver
     compatibility
   - BUG#29278489: Fix wrong user and group for Solaris packages
   - BUG#29001628: Fix access by column label in Table.select()
   - BUG#28479054: Fix Python interpreter crash due to memory corruption
   - BUG#27897881: Empty LONG BLOB throws an IndexError
   - BUG#29260128: Disable load data local infile by default
   - WL#12607: Handling of Default Schema
   - WL#12493: Standardize count method
   - WL#12492: Be prepared for initial notice on connection
   - BUG#28646344: Remove expression parsing on values
   - BUG#28280321: Fix segmentation fault when using unicode characters in
     tables
   - BUG#27794178: Using use_pure=False should raise an error if cext is not
     available
   - BUG#27434751: Add a TLS/SSL option to verify server name
   - WL#12239: Add support for Python 3.7
   - WL#12226: Implement connect timeout
   - WL#11897: Implement connection pooling for xprotocol
   - BUG#28278352: C extension mysqlx Collection.add() leaks memory in
     sequential calls
   - BUG#28037275: Missing bind parameters causes segfault or unclear error
     message
   - BUG#27528819: Support special characters in the user and password using
     URI
   - WL#11951: Consolidate discrepancies between pure and c extension
   - WL#11932: Remove Fabric support
   - WL#11898: Core API v1 alignment
   - BUG#28188883: Use utf8mb4 as the default character set
   - BUG#28133321: Fix incorrect columns names representing aggregate
     functions
   - BUG#27962293: Fix Django 2.0 and MySQL 8.0 compatibility issues
   - BUG#27567999: Fix wrong docstring in ModifyStatement.patch()
   - BUG#27277937: Fix confusing error message when using an unsupported
     collation
   - BUG#26834200: Deprecate Row.get_string() method
   - BUG#26660624: Fix missing install option in documentation
   - WL#11668: Add SHA256_MEMORY authentication mechanism
   - WL#11614: Enable C extension by default
   - WL#11448: New document _id generation support
   - WL#11282: Support new locking modes NOWAIT and SKIP LOCKED
   - BUG#27639119: Use a list of dictionaries to store warnings
   - BUG#27634885: Update error codes for MySQL 8.0.11
   - BUG#27589450: Remove upsert functionality from WriteStatement class
   - BUG#27528842: Fix internal queries open for SQL injection
   - BUG#27364914: Cursor prepared statements do not convert strings
   - BUG#24953913: Fix failing unittests
   - BUG#24948205: Results from JSON_TYPE() are returned as bytearray
   - BUG#24948186: JSON type results are bytearray instead of corresponding
     python type
   - WL#11372: Remove configuration API
   - WL#11303: Remove CreateTable and CreateView
   - WL#11281: Transaction savepoints
   - WL#11278: Collection.create_index
   - WL#11149: Create Pylint test for mysqlx
   - WL#11142: Modify/MergePatch
   - WL#11079: Add support for Python 3.6
   - WL#11073: Add caching_sha2_password authentication plugin
   - WL#10975: Add Single document operations
   - WL#10974: Add Row locking methods to find and select operations
   - WL#10973: Allow JSON types as operands for IN operator
   - WL#10899: Add support for pure Python implementation of Protobuf
   - WL#10771: Add SHA256 authentication
   - WL#10053: Configuration handling interface
   - WL#10772: Cleanup Drop APIs
   - WL#10770: Ensure all Session connections are secure by default
   - WL#10754: Forbid modify() and remove() with no condition
   - WL#10659: Support utf8mb4 as default charset
   - WL#10658: Remove concept of NodeSession
   - WL#10657: Move version number to 8.0
   - WL#10198: Add Protobuf C++ extension implementation
   - WL#10004: Document UUID generation
   - BUG#26175003: Fix Session.sql() when using unicode SQL statements with
     Python 2.7
   - BUG#26161838: Dropping an non-existing index should succeed silently
   - BUG#26160876: Fix issue when using empty condition in
     Collection.remove() and Table.delete()
   - BUG#26029811: Improve error thrown when using an invalid parameter in
     bind()
   - BUG#25991574: Fix Collection.remove() and Table.delete() missing filters   - WL#10452: Add Protobuf C++ extension for Linux variants and Mac OSX
   - WL#10081: DevAPI: IPv6 support
   - BUG#25614860: Fix defined_as method in the view creation
   - BUG#25519251: SelectStatement does not implement order_by() method
   - BUG#25436568: Update available operators for XPlugin
   - BUG#24954006: Add missing items in CHANGES.txt
   - BUG#24578507: Fix import error using Python 2.6
   - BUG#23636962: Fix improper error message when creating a Session
   - BUG#23568207: Fix default aliases for projection fields
   - BUG#23567724: Fix operator names
   - DevAPI: Schema.create_table
   - DevAPI: Flexible Parameter Lists
   - DevAPI: New transports: Unix domain socket
   - DevAPI: Core TLS/SSL options for the mysqlx URI scheme
   - DevAPI: View DDL with support for partitioning in a cluster / sharding
   - BUG#24520850: Fix unexpected behavior when using an empty collection name
   - Add support for Protocol Buffers 3
   - Add View support (without DDL)
   - Implement get_default_schema() method in BaseSchema
   - DevAPI: Per ReplicaSet SQL execution
   - DevAPI: XSession accepts a list of routers   - DevAPI: Define action on adding empty list of documents
   - BUG#23729357: Fix fetching BIT datatype
   - BUG#23583381: Add who_am_i and am_i_real methods to DatabaseObject
   - BUG#23568257: Add fetch_one method to mysqlx.result
   - BUG#23550743: Add close method to XSession and NodeSession
   - BUG#23550057: Add support for URI as connection data
   - Provide initial implementation of new DevAPI

   This update was imported from the openSUSE:Leap:15.1:Update update project.


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP1:

      zypper in -t patch openSUSE-2020-430=1



Package List:

   - openSUSE Backports SLE-15-SP1 (noarch):

      python2-mysql-connector-python-8.0.19-bp151.4.3.1
      python3-mysql-connector-python-8.0.19-bp151.4.3.1


References:

   https://www.suse.com/security/cve/CVE-2019-2435.html
   https://bugzilla.suse.com/1122204

--

openSUSE: 2020:0430-1: moderate: python-mysql-connector-python

March 31, 2020
An update that fixes one vulnerability is now available.

Description

This update for python-mysql-connector-python fixes the following issues: python-mysql-connector-python was updated to 8.0.19 (boo#1122204 - CVE-2019-2435): - WL#13531: Remove xplugin namespace - WL#13372: DNS SRV support - WL#12738: Specify TLS ciphers to be used by a client or session - BUG#30270760: Fix reserved filed should have a length of 22 - BUG#29417117: Close file in handle load data infile - WL#13330: Single C/Python (Win) MSI installer - WL#13335: Connectors should handle expired password sandbox without SET operations - WL#13194: Add support for Python 3.8 - BUG#29909157: Table scans of floats causes memory leak with the C extension - BUG#25349794: Add read_default_file alias for option_files in connect() - WL#13155: Support new utf8mb4 bin collation - WL#12737: Add overlaps and not_overlaps as operator - WL#12735: Add README.rst and CONTRIBUTING.rst files - WL#12227: Indexing array fields - WL#12085: Support cursor prepared statements with C extension - BUG#29855733: Fix error during connection using charset and collation combination - BUG#29833590: Calling execute() should fetch active results - BUG#21072758: Support for connection attributes classic - WL#12864: Upgrade of Protobuf version to 3.6.1 - WL#12863: Drop support for Django versions older than 1.11 - WL#12489: Support new session reset functionality - WL#12488: Support for session-connect-attributes - WL#12297: Expose metadata about the source and binaries - WL#12225: Prepared statement support - BUG#29324966: Add missing username connection argument for driver compatibility - BUG#29278489: Fix wrong user and group for Solaris packages - BUG#29001628: Fix access by column label in Table.select() - BUG#28479054: Fix Python interpreter crash due to memory corruption - BUG#27897881: Empty LONG BLOB throws an IndexError - BUG#29260128: Disable load data local infile by default - WL#12607: Handling of Default Schema - WL#12493: Standardize count method - WL#12492: Be prepared for initial notice on connection - BUG#28646344: Remove expression parsing on values - BUG#28280321: Fix segmentation fault when using unicode characters in tables - BUG#27794178: Using use_pure=False should raise an error if cext is not available - BUG#27434751: Add a TLS/SSL option to verify server name - WL#12239: Add support for Python 3.7 - WL#12226: Implement connect timeout - WL#11897: Implement connection pooling for xprotocol - BUG#28278352: C extension mysqlx Collection.add() leaks memory in sequential calls - BUG#28037275: Missing bind parameters causes segfault or unclear error message - BUG#27528819: Support special characters in the user and password using URI - WL#11951: Consolidate discrepancies between pure and c extension - WL#11932: Remove Fabric support - WL#11898: Core API v1 alignment - BUG#28188883: Use utf8mb4 as the default character set - BUG#28133321: Fix incorrect columns names representing aggregate functions - BUG#27962293: Fix Django 2.0 and MySQL 8.0 compatibility issues - BUG#27567999: Fix wrong docstring in ModifyStatement.patch() - BUG#27277937: Fix confusing error message when using an unsupported collation - BUG#26834200: Deprecate Row.get_string() method - BUG#26660624: Fix missing install option in documentation - WL#11668: Add SHA256_MEMORY authentication mechanism - WL#11614: Enable C extension by default - WL#11448: New document _id generation support - WL#11282: Support new locking modes NOWAIT and SKIP LOCKED - BUG#27639119: Use a list of dictionaries to store warnings - BUG#27634885: Update error codes for MySQL 8.0.11 - BUG#27589450: Remove upsert functionality from WriteStatement class - BUG#27528842: Fix internal queries open for SQL injection - BUG#27364914: Cursor prepared statements do not convert strings - BUG#24953913: Fix failing unittests - BUG#24948205: Results from JSON_TYPE() are returned as bytearray - BUG#24948186: JSON type results are bytearray instead of corresponding python type - WL#11372: Remove configuration API - WL#11303: Remove CreateTable and CreateView - WL#11281: Transaction savepoints - WL#11278: Collection.create_index - WL#11149: Create Pylint test for mysqlx - WL#11142: Modify/MergePatch - WL#11079: Add support for Python 3.6 - WL#11073: Add caching_sha2_password authentication plugin - WL#10975: Add Single document operations - WL#10974: Add Row locking methods to find and select operations - WL#10973: Allow JSON types as operands for IN operator - WL#10899: Add support for pure Python implementation of Protobuf - WL#10771: Add SHA256 authentication - WL#10053: Configuration handling interface - WL#10772: Cleanup Drop APIs - WL#10770: Ensure all Session connections are secure by default - WL#10754: Forbid modify() and remove() with no condition - WL#10659: Support utf8mb4 as default charset - WL#10658: Remove concept of NodeSession - WL#10657: Move version number to 8.0 - WL#10198: Add Protobuf C++ extension implementation - WL#10004: Document UUID generation - BUG#26175003: Fix Session.sql() when using unicode SQL statements with Python 2.7 - BUG#26161838: Dropping an non-existing index should succeed silently - BUG#26160876: Fix issue when using empty condition in Collection.remove() and Table.delete() - BUG#26029811: Improve error thrown when using an invalid parameter in bind() - BUG#25991574: Fix Collection.remove() and Table.delete() missing filters - WL#10452: Add Protobuf C++ extension for Linux variants and Mac OSX - WL#10081: DevAPI: IPv6 support - BUG#25614860: Fix defined_as method in the view creation - BUG#25519251: SelectStatement does not implement order_by() method - BUG#25436568: Update available operators for XPlugin - BUG#24954006: Add missing items in CHANGES.txt - BUG#24578507: Fix import error using Python 2.6 - BUG#23636962: Fix improper error message when creating a Session - BUG#23568207: Fix default aliases for projection fields - BUG#23567724: Fix operator names - DevAPI: Schema.create_table - DevAPI: Flexible Parameter Lists - DevAPI: New transports: Unix domain socket - DevAPI: Core TLS/SSL options for the mysqlx URI scheme - DevAPI: View DDL with support for partitioning in a cluster / sharding - BUG#24520850: Fix unexpected behavior when using an empty collection name - Add support for Protocol Buffers 3 - Add View support (without DDL) - Implement get_default_schema() method in BaseSchema - DevAPI: Per ReplicaSet SQL execution - DevAPI: XSession accepts a list of routers - DevAPI: Define action on adding empty list of documents - BUG#23729357: Fix fetching BIT datatype - BUG#23583381: Add who_am_i and am_i_real methods to DatabaseObject - BUG#23568257: Add fetch_one method to mysqlx.result - BUG#23550743: Add close method to XSession and NodeSession - BUG#23550057: Add support for URI as connection data - Provide initial implementation of new DevAPI This update was imported from the openSUSE:Leap:15.1:Update update project.

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP1: zypper in -t patch openSUSE-2020-430=1


Package List

- openSUSE Backports SLE-15-SP1 (noarch): python2-mysql-connector-python-8.0.19-bp151.4.3.1 python3-mysql-connector-python-8.0.19-bp151.4.3.1


References

https://www.suse.com/security/cve/CVE-2019-2435.html https://bugzilla.suse.com/1122204--


Severity
Announcement ID: openSUSE-SU-2020:0430-1
Rating: moderate
Affected Products: openSUSE Backports SLE-15-SP1

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved