Source: mysql-connector-python
Severity: serious
mysql-connector-python is affected by Oracle's policy of not disclosing
what security fixes they fix.
CVE-2019-2435 is labeled with a CVSS 8.1/10 score and only fixed in
8.x, while the version in stretch (2.1.x) is marked as vulnerable,
but no 2.1.9 release is available, i.e. we cannot effectively provide
a fix within stable only 20 months after stretch was released.
This renders mysql-connector-python unsuitable for inclusion in a stable
release with security support.
This leaves us with the following options for buster:
- There are no reverse dependencies in buster, remove it from testing
and hope that someone less hostile to the FLOSS community creates a
fork
- Aside from the packaged software and given that this is the only Python
binding for mysql/mariadb, there's most definitely a sizable number of
inhouse code using that module. Update src:debian-security-support to
mark mysql-connector-python as unsupported and add a README.Debian.security
which also documents this status within the package itself.
Cheers,
Moritz
