CVE-2022-24407 (https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28): In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement. Is cyrus-sasl bundled in mysql-connector-c++?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab92f9ef29f6c74fd9dd60c6a59242afe0c342c2 commit ab92f9ef29f6c74fd9dd60c6a59242afe0c342c2 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-01-18 06:05:01 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-01-18 21:49:00 +0000 dev-db/mysql-connector-c++: add 8.0.32 Bug: https://bugs.gentoo.org/891307 Signed-off-by: Sam James <sam@gentoo.org> dev-db/mysql-connector-c++/Manifest | 1 + .../mysql-connector-c++-8.0.32.ebuild | 58 ++++++++++++++++++++++ 2 files changed, 59 insertions(+)
I haven't checked if it's bundled yet, but tagged bug given this release is likely the one that would addrss it if it is.
I can't even see the files. I think we're OK.