Source: mydumper Version: 0.10.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for mydumper. CVE-2025-30224[0]: | MyDumper is a MySQL Logical Backup Tool. The MySQL C client library | (libmysqlclient) allows authenticated remote actors to read | arbitrary files from client systems via a crafted server response to | LOAD LOCAL INFILE query, leading to sensitive information disclosure | when clients connect to untrusted MySQL servers without explicitly | disabling the local infile capability. Mydumper has the local infile | option enabled by default and does not have an option to disable it. | This can lead to an unexpected arbitrary file read if the Mydumper | tool connects to an untrusted server. This vulnerability is fixed in | 0.18.2-8. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-30224 https://www.cve.org/CVERecord?id=CVE-2025-30224 [1] https://github.com/mydumper/mydumper/security/advisories/GHSA-r8qc-xp3g-c458 Regards, Salvatore
