Subject: [ASA-201902-21] python-mysql-connector: authentication bypass Arch Linux Security Advisory ASA-201902-21 ========================================== Severity: High Date : 2019-02-17 CVE-ID : CVE-2019-2435 Package : python-mysql-connector Type : authentication bypass Remote : Yes Link : https://security.archlinux.org/AVG-898 Summary ======= The package python-mysql-connector before version 8.0.15-1 is vulnerable to authentication bypass. Resolution ========== Upgrade to 8.0.15-1. # pacman -Syu "python-mysql-connector>=8.0.15-1" The problem has been fixed upstream in version 8.0.15. Workaround ========== None. Description =========== A flaw was found in mysql-connector prior to version 8.0.13. Unauthenticated attacker with network access via TLS could compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and can result in unauthorized creation, deletion or modification access to critical data. Impact ====== An unauthenticated attacker could serve malicious TLS traffic and bypass authentication. References ========== https://bugs.archlinux.org/task/61758 https://github.com/mysql/mysql-connector-python/commit/069bc6737dd13b7f3a41d7fc23b789b659d8e205 https://security.netapp.com/advisory/ntap-20190118-0002/ https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html https://security.archlinux.org/CVE-2019-2435