You are here
Home > Preporuke > Sigurnosni nedostatak programskog paketa python-mysql-connector-python

Sigurnosni nedostatak programskog paketa python-mysql-connector-python

openSUSE Security Update: Security update for python-mysql-connector-python
______________________________________________________________________________

Announcement ID: openSUSE-SU-2020:0409-1
Rating: moderate
References: #1122204
Cross-References: CVE-2019-2435
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for python-mysql-connector-python fixes the following issues:

python-mysql-connector-python was updated to 8.0.19 (boo#1122204 –
CVE-2019-2435):

– WL#13531: Remove xplugin namespace
– WL#13372: DNS SRV support
– WL#12738: Specify TLS ciphers to be used by a client or session
– BUG#30270760: Fix reserved filed should have a length of 22
– BUG#29417117: Close file in handle load data infile
– WL#13330: Single C/Python (Win) MSI installer
– WL#13335: Connectors should handle expired password sandbox without SET
operations
– WL#13194: Add support for Python 3.8
– BUG#29909157: Table scans of floats causes memory leak with the C
extension
– BUG#25349794: Add read_default_file alias for option_files in connect()
– WL#13155: Support new utf8mb4 bin collation
– WL#12737: Add overlaps and not_overlaps as operator
– WL#12735: Add README.rst and CONTRIBUTING.rst files
– WL#12227: Indexing array fields
– WL#12085: Support cursor prepared statements with C extension
– BUG#29855733: Fix error during connection using charset and collation
combination
– BUG#29833590: Calling execute() should fetch active results
– BUG#21072758: Support for connection attributes classic
– WL#12864: Upgrade of Protobuf version to 3.6.1
– WL#12863: Drop support for Django versions older than 1.11
– WL#12489: Support new session reset functionality
– WL#12488: Support for session-connect-attributes
– WL#12297: Expose metadata about the source and binaries
– WL#12225: Prepared statement support
– BUG#29324966: Add missing username connection argument for driver
compatibility
– BUG#29278489: Fix wrong user and group for Solaris packages
– BUG#29001628: Fix access by column label in Table.select()
– BUG#28479054: Fix Python interpreter crash due to memory corruption
– BUG#27897881: Empty LONG BLOB throws an IndexError
– BUG#29260128: Disable load data local infile by default
– WL#12607: Handling of Default Schema
– WL#12493: Standardize count method
– WL#12492: Be prepared for initial notice on connection
– BUG#28646344: Remove expression parsing on values
– BUG#28280321: Fix segmentation fault when using unicode characters in
tables
– BUG#27794178: Using use_pure=False should raise an error if cext is not
available
– BUG#27434751: Add a TLS/SSL option to verify server name
– WL#12239: Add support for Python 3.7
– WL#12226: Implement connect timeout
– WL#11897: Implement connection pooling for xprotocol
– BUG#28278352: C extension mysqlx Collection.add() leaks memory in
sequential calls
– BUG#28037275: Missing bind parameters causes segfault or unclear error
message
– BUG#27528819: Support special characters in the user and password using
URI
– WL#11951: Consolidate discrepancies between pure and c extension
– WL#11932: Remove Fabric support
– WL#11898: Core API v1 alignment
– BUG#28188883: Use utf8mb4 as the default character set
– BUG#28133321: Fix incorrect columns names representing aggregate
functions
– BUG#27962293: Fix Django 2.0 and MySQL 8.0 compatibility issues
– BUG#27567999: Fix wrong docstring in ModifyStatement.patch()
– BUG#27277937: Fix confusing error message when using an unsupported
collation
– BUG#26834200: Deprecate Row.get_string() method
– BUG#26660624: Fix missing install option in documentation
– WL#11668: Add SHA256_MEMORY authentication mechanism
– WL#11614: Enable C extension by default
– WL#11448: New document _id generation support
– WL#11282: Support new locking modes NOWAIT and SKIP LOCKED
– BUG#27639119: Use a list of dictionaries to store warnings
– BUG#27634885: Update error codes for MySQL 8.0.11
– BUG#27589450: Remove upsert functionality from WriteStatement class
– BUG#27528842: Fix internal queries open for SQL injection
– BUG#27364914: Cursor prepared statements do not convert strings
– BUG#24953913: Fix failing unittests
– BUG#24948205: Results from JSON_TYPE() are returned as bytearray
– BUG#24948186: JSON type results are bytearray instead of corresponding
python type
– WL#11372: Remove configuration API
– WL#11303: Remove CreateTable and CreateView
– WL#11281: Transaction savepoints
– WL#11278: Collection.create_index
– WL#11149: Create Pylint test for mysqlx
– WL#11142: Modify/MergePatch
– WL#11079: Add support for Python 3.6
– WL#11073: Add caching_sha2_password authentication plugin
– WL#10975: Add Single document operations
– WL#10974: Add Row locking methods to find and select operations
– WL#10973: Allow JSON types as operands for IN operator
– WL#10899: Add support for pure Python implementation of Protobuf
– WL#10771: Add SHA256 authentication
– WL#10053: Configuration handling interface
– WL#10772: Cleanup Drop APIs
– WL#10770: Ensure all Session connections are secure by default
– WL#10754: Forbid modify() and remove() with no condition
– WL#10659: Support utf8mb4 as default charset
– WL#10658: Remove concept of NodeSession
– WL#10657: Move version number to 8.0
– WL#10198: Add Protobuf C++ extension implementation
– WL#10004: Document UUID generation
– BUG#26175003: Fix Session.sql() when using unicode SQL statements with
Python 2.7
– BUG#26161838: Dropping an non-existing index should succeed silently
– BUG#26160876: Fix issue when using empty condition in
Collection.remove() and Table.delete()
– BUG#26029811: Improve error thrown when using an invalid parameter in
bind()
– BUG#25991574: Fix Collection.remove() and Table.delete() missing filters
– WL#10452: Add Protobuf C++ extension for Linux variants and Mac OSX
– WL#10081: DevAPI: IPv6 support
– BUG#25614860: Fix defined_as method in the view creation
– BUG#25519251: SelectStatement does not implement order_by() method
– BUG#25436568: Update available operators for XPlugin
– BUG#24954006: Add missing items in CHANGES.txt
– BUG#24578507: Fix import error using Python 2.6
– BUG#23636962: Fix improper error message when creating a Session
– BUG#23568207: Fix default aliases for projection fields
– BUG#23567724: Fix operator names
– DevAPI: Schema.create_table
– DevAPI: Flexible Parameter Lists
– DevAPI: New transports: Unix domain socket
– DevAPI: Core TLS/SSL options for the mysqlx URI scheme
– DevAPI: View DDL with support for partitioning in a cluster / sharding
– BUG#24520850: Fix unexpected behavior when using an empty collection name
– Add support for Protocol Buffers 3
– Add View support (without DDL)
– Implement get_default_schema() method in BaseSchema
– DevAPI: Per ReplicaSet SQL execution
– DevAPI: XSession accepts a list of routers
– DevAPI: Define action on adding empty list of documents
– BUG#23729357: Fix fetching BIT datatype
– BUG#23583381: Add who_am_i and am_i_real methods to DatabaseObject
– BUG#23568257: Add fetch_one method to mysqlx.result
– BUG#23550743: Add close method to XSession and NodeSession
– BUG#23550057: Add support for URI as connection data
– Provide initial implementation of new DevAPI

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.1:

zypper in -t patch openSUSE-2020-409=1

Package List:

– openSUSE Leap 15.1 (noarch):

python2-mysql-connector-python-8.0.19-lp151.3.3.1
python3-mysql-connector-python-8.0.19-lp151.3.3.1

References:

https://www.suse.com/security/cve/CVE-2019-2435.html
https://bugzilla.suse.com/1122204


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

Top
More in Preporuke
Sigurnosni nedostaci programskog paketa ruby2.5

Otkriveni su sigurnosni nedostaci u programskom paketu ruby2.5 za operacijski sustav openSUSE. Otkriveni nedostaci potencijalnim udaljenim napadačima omogućuju izazivanje DoS...

Close