Bug 891307

Summary:	dev-db/mysql-connector-c++: cyrus-sasl vulnerability (Oracle CPU Jan 2023)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	normal	CC:	mysql-bugs
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.oracle.com/security-alerts/cpujan2023.html#AppendixMSQL
Whiteboard:	??
Package list:		Runtime testing required:	---

Description John Helmert III archtester

2023-01-18 14:47:26 UTC

CVE-2022-24407 (https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28):

In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.

Is cyrus-sasl bundled in mysql-connector-c++?

Comment 1 Larry the Git Cow gentoo-dev

2023-01-18 21:54:04 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab92f9ef29f6c74fd9dd60c6a59242afe0c342c2

commit ab92f9ef29f6c74fd9dd60c6a59242afe0c342c2
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-01-18 06:05:01 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-01-18 21:49:00 +0000

    dev-db/mysql-connector-c++: add 8.0.32
    
    Bug: https://bugs.gentoo.org/891307
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/mysql-connector-c++/Manifest                |  1 +
 .../mysql-connector-c++-8.0.32.ebuild              | 58 ++++++++++++++++++++++
 2 files changed, 59 insertions(+)

Comment 2 Sam James archtester

2023-01-18 21:54:59 UTC

I haven't checked if it's bundled yet, but tagged bug given this release is likely the one that would addrss it if it is.

Comment 3 Sam James archtester

2023-01-18 22:16:47 UTC

I can't even see the files. I think we're OK.