Detections
Analytics

openSUSE Security Update : python-mysql-connector-python (openSUSE-2020-409)

high Nessus Plugin ID 135010

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for python-mysql-connector-python fixes the following issues :

python-mysql-connector-python was updated to 8.0.19 (boo#1122204 - CVE-2019-2435) :

 - WL#13531: Remove xplugin namespace

 - WL#13372: DNS SRV support

 - WL#12738: Specify TLS ciphers to be used by a client or session

 - BUG#30270760: Fix reserved filed should have a length of 22

 - BUG#29417117: Close file in handle load data infile

 - WL#13330: Single C/Python (Win) MSI installer

 - WL#13335: Connectors should handle expired password sandbox without SET operations

 - WL#13194: Add support for Python 3.8

 - BUG#29909157: Table scans of floats causes memory leak with the C extension

 - BUG#25349794: Add read_default_file alias for option_files in connect()

 - WL#13155: Support new utf8mb4 bin collation

 - WL#12737: Add overlaps and not_overlaps as operator

 - WL#12735: Add README.rst and CONTRIBUTING.rst files

 - WL#12227: Indexing array fields

 - WL#12085: Support cursor prepared statements with C extension

 - BUG#29855733: Fix error during connection using charset and collation combination

 - BUG#29833590: Calling execute() should fetch active results

 - BUG#21072758: Support for connection attributes classic

 - WL#12864: Upgrade of Protobuf version to 3.6.1

 - WL#12863: Drop support for Django versions older than 1.11

 - WL#12489: Support new session reset functionality

 - WL#12488: Support for session-connect-attributes

 - WL#12297: Expose metadata about the source and binaries

 - WL#12225: Prepared statement support

 - BUG#29324966: Add missing username connection argument for driver compatibility

 - BUG#29278489: Fix wrong user and group for Solaris packages

 - BUG#29001628: Fix access by column label in Table.select()

 - BUG#28479054: Fix Python interpreter crash due to memory corruption

 - BUG#27897881: Empty LONG BLOB throws an IndexError

 - BUG#29260128: Disable load data local infile by default

 - WL#12607: Handling of Default Schema

 - WL#12493: Standardize count method

 - WL#12492: Be prepared for initial notice on connection

 - BUG#28646344: Remove expression parsing on values

 - BUG#28280321: Fix segmentation fault when using unicode characters in tables

 - BUG#27794178: Using use_pure=False should raise an error if cext is not available

 - BUG#27434751: Add a TLS/SSL option to verify server name

 - WL#12239: Add support for Python 3.7

 - WL#12226: Implement connect timeout

 - WL#11897: Implement connection pooling for xprotocol

 - BUG#28278352: C extension mysqlx Collection.add() leaks memory in sequential calls

 - BUG#28037275: Missing bind parameters causes segfault or unclear error message

 - BUG#27528819: Support special characters in the user and password using URI

 - WL#11951: Consolidate discrepancies between pure and c extension

 - WL#11932: Remove Fabric support

 - WL#11898: Core API v1 alignment

 - BUG#28188883: Use utf8mb4 as the default character set

 - BUG#28133321: Fix incorrect columns names representing aggregate functions

 - BUG#27962293: Fix Django 2.0 and MySQL 8.0 compatibility issues

 - BUG#27567999: Fix wrong docstring in ModifyStatement.patch()

 - BUG#27277937: Fix confusing error message when using an unsupported collation

 - BUG#26834200: Deprecate Row.get_string() method

 - BUG#26660624: Fix missing install option in documentation

 - WL#11668: Add SHA256_MEMORY authentication mechanism

 - WL#11614: Enable C extension by default

 - WL#11448: New document _id generation support

 - WL#11282: Support new locking modes NOWAIT and SKIP LOCKED

 - BUG#27639119: Use a list of dictionaries to store warnings

 - BUG#27634885: Update error codes for MySQL 8.0.11

 - BUG#27589450: Remove upsert functionality from WriteStatement class

 - BUG#27528842: Fix internal queries open for SQL injection

 - BUG#27364914: Cursor prepared statements do not convert strings

 - BUG#24953913: Fix failing unittests

 - BUG#24948205: Results from JSON_TYPE() are returned as bytearray

 - BUG#24948186: JSON type results are bytearray instead of corresponding python type

 - WL#11372: Remove configuration API

 - WL#11303: Remove CreateTable and CreateView

 - WL#11281: Transaction savepoints

 - WL#11278: Collection.create_index

 - WL#11149: Create Pylint test for mysqlx

 - WL#11142: Modify/MergePatch

 - WL#11079: Add support for Python 3.6

 - WL#11073: Add caching_sha2_password authentication plugin

 - WL#10975: Add Single document operations

 - WL#10974: Add Row locking methods to find and select operations

 - WL#10973: Allow JSON types as operands for IN operator

 - WL#10899: Add support for pure Python implementation of Protobuf

 - WL#10771: Add SHA256 authentication

 - WL#10053: Configuration handling interface

 - WL#10772: Cleanup Drop APIs

 - WL#10770: Ensure all Session connections are secure by default

 - WL#10754: Forbid modify() and remove() with no condition

 - WL#10659: Support utf8mb4 as default charset

 - WL#10658: Remove concept of NodeSession

 - WL#10657: Move version number to 8.0

 - WL#10198: Add Protobuf C++ extension implementation

 - WL#10004: Document UUID generation

 - BUG#26175003: Fix Session.sql() when using unicode SQL statements with Python 2.7

 - BUG#26161838: Dropping an non-existing index should succeed silently

 - BUG#26160876: Fix issue when using empty condition in Collection.remove() and Table.delete()

 - BUG#26029811: Improve error thrown when using an invalid parameter in bind()

 - BUG#25991574: Fix Collection.remove() and Table.delete() missing filters

 - WL#10452: Add Protobuf C++ extension for Linux variants and Mac OSX

 - WL#10081: DevAPI: IPv6 support

 - BUG#25614860: Fix defined_as method in the view creation

 - BUG#25519251: SelectStatement does not implement order_by() method

 - BUG#25436568: Update available operators for XPlugin

 - BUG#24954006: Add missing items in CHANGES.txt

 - BUG#24578507: Fix import error using Python 2.6

 - BUG#23636962: Fix improper error message when creating a Session

 - BUG#23568207: Fix default aliases for projection fields

 - BUG#23567724: Fix operator names

 - DevAPI: Schema.create_table

 - DevAPI: Flexible Parameter Lists

 - DevAPI: New transports: Unix domain socket

 - DevAPI: Core TLS/SSL options for the mysqlx URI scheme

 - DevAPI: View DDL with support for partitioning in a cluster / sharding

 - BUG#24520850: Fix unexpected behavior when using an empty collection name

 - Add support for Protocol Buffers 3

 - Add View support (without DDL)

 - Implement get_default_schema() method in BaseSchema

 - DevAPI: Per ReplicaSet SQL execution

 - DevAPI: XSession accepts a list of routers

 - DevAPI: Define action on adding empty list of documents

 - BUG#23729357: Fix fetching BIT datatype

 - BUG#23583381: Add who_am_i and am_i_real methods to DatabaseObject

 - BUG#23568257: Add fetch_one method to mysqlx.result

 - BUG#23550743: Add close method to XSession and NodeSession

 - BUG#23550057: Add support for URI as connection data

 - Provide initial implementation of new DevAPI

Solution

Update the affected python-mysql-connector-python packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1122204

Plugin Details

Severity: High

ID: 135010

File Name: openSUSE-2020-409.nasl

Version: 1.3

Type: local

Agent: unix

Published: 3/30/2020

Updated: 3/20/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2019-2435

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:python3-mysql-connector-python, p-cpe:/a:novell:opensuse:python2-mysql-connector-python, cpe:/o:novell:opensuse:15.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 3/29/2020

Vulnerability Publication Date: 1/16/2019

Reference Information

CVE: CVE-2019-2435