Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 635616 (CVE-2017-3590)

Summary: dev-python/mysql-connector-python-2.1.7: Improper access control
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: mysql-bugs, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~4 [noglsa cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2017-10-27 18:59:56 UTC 
CVE-2017-3590 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3590):
  Vulnerability in the MySQL Connectors component of Oracle MySQL
  (subcomponent: Connector/Python). Supported versions that are affected are
  2.1.5 and earlier. Easily "exploitable" vulnerability allows low privileged
  attacker with logon to the infrastructure where MySQL Connectors executes to
  compromise MySQL Connectors. Successful attacks of this vulnerability can
  result in unauthorized update, insert or delete access to some of MySQL
  Connectors accessible data. CVSS 3.0 Base Score 3.3 (Integrity impacts).
  CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-27 19:01:33 UTC 
@Maintainers current version 2.1.7 should be fixed. Please let us know when tree is clean from vulnerable versions.

Thank you.
Comment 2 Larry the Git Cow gentoo-dev 2018-07-16 13:43:28 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03d1b50bd3cd36192cc5b23c16a12c47070948fa

commit 03d1b50bd3cd36192cc5b23c16a12c47070948fa
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-07-16 13:34:27 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-07-16 13:43:18 +0000

    dev-python/mysql-connector-python: remove vulnerable version
    
    Bug: https://bugs.gentoo.org/635616
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 dev-python/mysql-connector-python/Manifest         |  1 -
 .../mysql-connector-python-2.1.4.ebuild            | 37 ----------------------
 2 files changed, 38 deletions(-)
Comment 3 Virgil Dupras (RETIRED) gentoo-dev 2018-07-16 13:46:28 UTC 
The only remaining version, 2.14, has been removed from the tree. The package has no stable ebuild yet so I don't think there's anything left to do.