Your message dated Tue, 09 Sep 2025 03:38:38 +0000
with message-id <[email protected]>
and subject line Bug#1102002: fixed in mydumper 0.10.1-2
has caused the Debian Bug report #1102002,
regarding mydumper: CVE-2025-30224
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1102002: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102002
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: mydumper
Version: 0.10.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for mydumper.
CVE-2025-30224[0]:
| MyDumper is a MySQL Logical Backup Tool. The MySQL C client library
| (libmysqlclient) allows authenticated remote actors to read
| arbitrary files from client systems via a crafted server response to
| LOAD LOCAL INFILE query, leading to sensitive information disclosure
| when clients connect to untrusted MySQL servers without explicitly
| disabling the local infile capability. Mydumper has the local infile
| option enabled by default and does not have an option to disable it.
| This can lead to an unexpected arbitrary file read if the Mydumper
| tool connects to an untrusted server. This vulnerability is fixed in
| 0.18.2-8.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-30224
https://www.cve.org/CVERecord?id=CVE-2025-30224
[1] https://github.com/mydumper/mydumper/security/advisories/GHSA-r8qc-xp3g-c458
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: mydumper
Source-Version: 0.10.1-2
Done: Otto Kekäläinen <[email protected]>
We believe that the bug you reported is fixed in the latest version of
mydumper, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Otto Kekäläinen <[email protected]> (supplier of updated mydumper package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 08 Sep 2025 13:01:35 -0700
Source: mydumper
Architecture: source
Version: 0.10.1-2
Distribution: unstable
Urgency: medium
Maintainer: Otto Kekäläinen <[email protected]>
Changed-By: Otto Kekäläinen <[email protected]>
Closes: 1000014 1102002 1109991
Changes:
mydumper (0.10.1-2) unstable; urgency=medium
.
[ Lee Garrett ]
* Fix CVE-2025-30224 (Closes: #1102002):
- The MySQL C client library (libmysqlclient) allows authenticated remote
actors to read arbitrary files from client systems via a crafted server
response to LOAD LOCAL INFILE query, leading to sensitive information
disclosure when clients connect to untrusted MySQL servers without
explicitly disabling the local infile capability. Mydumper had the local
infile option enabled by default and does not have an option to disable
it. This can lead to an unexpected arbitrary file read if the Mydumper
tool connects to an untrusted server.
* Add autopkgtest integration tests
* Add debian/gbp.conf
.
[ Otto Kekäläinen ]
* Apply `wrap-and-sort -vast` to make tracking changes easier in git
* Add myself as maintainer (Closes: #1109991)
* Replace outdated PCRE3 with modern PCRE2 (Closes: #1000014)
* Add patch to make current MyDumper version compile with pcre2
* Remove patches that are missing from debian/patches/series
* Enable Salsa CI using default template
* Clean up changelog
Checksums-Sha1:
c64a559bc7d93bbb62e7118404d9ce2e5784c383 2078 mydumper_0.10.1-2.dsc
30aff2aac1986451bcb12fe60bdb3143d2d8f8c6 10564 mydumper_0.10.1-2.debian.tar.xz
68ebfa6c5eba355ca0823335cac4df503923363c 8837
mydumper_0.10.1-2_source.buildinfo
Checksums-Sha256:
f4e8cce588589f7eaf5122bdf8910c610220955bff1c3ddd794a79034cff390b 2078
mydumper_0.10.1-2.dsc
08e2d8ced434a6a9b91327e557458db8b0be62de5ef88966788e71f8dd1428ae 10564
mydumper_0.10.1-2.debian.tar.xz
809ffb6bd4c1e9a36d54251d72ac1f0094c32a7e9fc9475ed43efe228a50fff1 8837
mydumper_0.10.1-2_source.buildinfo
Files:
ca7e951a367e3e7e0710feaf46ee7af5 2078 database extra mydumper_0.10.1-2.dsc
9c5535fd575d082a88b086f5eb059a39 10564 database extra
mydumper_0.10.1-2.debian.tar.xz
e37c6c68bbc701e933f4272107418bc5 8837 database extra
mydumper_0.10.1-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEmbRSsR88dMO0U+RvvthEn87o2ogFAmi/OMYACgkQvthEn87o
2oixHBAAhcFD7soD4dsm4BLWHwZtc8q9eG+kDgsTjJGzJdKj4AyntiB09H0axWdF
vmCMUz9ZkF1rPX0zzKSCsDbYlx9590rzP7lJcD/fAFmMpTi1YCbUVYj+sHr2L+tz
5BGrFrWuqmoK0hvcewuZe4NVH9YP9DcuRlKENOs9kHg6Hqmnf37cTk7kHtz1/Uds
eqVSuvTAPOfSHGzdqBuwUP45/RTAD1TD4a9RgZjPzwWfP5KUjBkH8ji1IwGCFAOh
0euvV8xFZ3/dPar4vEsakXMGSFU8Tl/Fecq+8lw/UG9FAA6kOpYpQ1AtXT5ztM7E
BvCSJnuuegGjusvOuxgJ86bwAW9DChIEH7zkBhLCGNVRi8b1CPthyTelFMJy62mW
kd5wcGJO1ip0QutBM+jGuUhqubHX36GO7Zpa5qn8J9HYYxLyCe+WiJlFMPAkgKON
WgRxI6xK5PvW+X+myc54GcX9Vs6Xz2pUQep1/3/OXhJYfygiYXjc8WFVeH00zuyi
DKLzwyuXI4cm3VAUetM+eoPUxeObPTE4vR+amhR2Y7qK33VWuI4R4xVGP1Egu0Jq
UyfPh/weDX3ftJaD5vckO8uphhdwPnd0NHIBCTNHjYU627vH/Rjtig2LOJ4DwqtH
6RPHNM/RHBhFLwQEFlLAIrKe8I2JPGdsbKZuHQnrXKCbaykTiMQ=
=c/k2
-----END PGP SIGNATURE-----
pgpV2ix1PAJ70.pgp
Description: PGP signature
--- End Message ---
