Hello Moritz, i'm not sure what kind of input you're expecting from (if at all, and this RC is mostly for the RT), but i'll reply
> mysql-connector-python is affected by Oracle's policy of not disclosing > what security fixes they fix. > > CVE-2019-2435 is labeled with a CVSS 8.1/10 score and only fixed in > 8.x, while the version in stretch (2.1.x) is marked as vulnerable, > but no 2.1.9 release is available, i.e. we cannot effectively provide > a fix within stable only 20 months after stretch was released. > > This renders mysql-connector-python unsuitable for inclusion in a stable > release with security support. what kind of security support do Debian provide to the mysql server packages? > This leaves us with the following options for buster: > - There are no reverse dependencies in buster, remove it from testing > and hope that someone less hostile to the FLOSS community creates a > fork from a quick look (on unstable): $ apt-cache rdepends python-mysql.connector python-mysql.connector Reverse Depends: mysql-utilities mysql-workbench $ apt-cache rdepends python3-mysql.connector python3-mysql.connector Reverse Depends: openlp python3-sql so some packages, not many, didnt verity if they are in buster atm > - Aside from the packaged software and given that this is the only Python > binding for mysql/mariadb, there's most definitely a sizable number of > inhouse code using that module. Update src:debian-security-support to > mark mysql-connector-python as unsupported and add a README.Debian.security > which also documents this status within the package itself. i think this is up to the security team to decide, no? -- Sandro "morph" Tosi My website: http://sandrotosi.me/ Me at Debian: http://wiki.debian.org/SandroTosi G+: https://plus.google.com/u/0/+SandroTosi
