SUSE-SU-2023:2241-1

Описание

This update for mysql-connector-java fixes the following issues:

• CVE-2023-21971: Fixed a crash in MySQL Connectors that could be triggered by an authenticated remote user (bsc#1211247).

• Ship protobuf 3.9.2 compatible generated files to support older distro versions.

• Update to 8.0.32:

  • MysqlDataSource fails to URL encode database name when constructing JDBC URL.
  • serverSideStatementCache ignores resultSetType.
  • UpdatableResultSet does not properly handle unsigned primary key.
  • Connector/J 8 query with explain can not return ResultRow.
  • Add support to row alias on INSERT... ON DUPLICATE KEY UPDATE on batch mode.
  • connectionCollation ignored if characterEncoding is set.
  • Connector/J rejects UNION with CTE.
  • Malformed packet generation for COM_STMT_EXECUTE.
  • Connector/J client hangs after prepare & execute process with old version server.
  • Contribution: Fix name of relocation POM file.
  • Contribution: [PATCH] Remove superfluous use of boxing.
  • Contribution: Recognize 'ON DUPLICATE KEY UPDATE' in 'INSERT SET' Statement.
  • RPM and DEB builds broken after introducing javadoc for maven bundles.
  • Sonatype compliant POM and maven bundles.
  • Upgrade 3rd party libraries and tools.
  • Upgrade Protocol Buffers dependency to protobuf-java-3.21.9.

• As Oracle renamed the package to 'mysql-connector-j', we are 'providing' both names for now, but the package has to be renamed to accommodate the change because the old name will be deprecated at some point in the future without further notice.

• Update to 8.0.31:

  Functionality Added or Changed

  • Important Change: To comply with proper naming guidelines, the Maven groupId and artifactId for Connector/J have been changed to the following starting with this release: groupId: com.mysql artifactId: mysql-connector-j
  • The old groupId and artifactId can still be used for linking the Connector/J library, but they will point to a Maven relocation POM, redirecting users to the new coordinates. Please switch to the new coordinates as soon as possible, as the old coordinates could be discontinued anytime without notice. See Installing Connector/J Using Maven.
  • Also, to go with these changes, the .jar library for Connector/J has been renamed to mysql-connector-j-x.y.z for all channels of distribution by Oracle, not just the Maven repository.
  • Before release 8.0.29, Connector/J always interpolated byte arrays as hexadecimal literals when obtaining a prepared statement's string representation by the toString() method. Since 8.0.29, all byte array values were displayed as ** BYTE ARRAY DATA ** when converted to strings. The same is also true for null values.
  • To allow different ways to display byte array data and null values, a new connection property, maxByteArrayAsHex, has been introduced: byte arrays shorter than the value of maxByteArrayAsHex are now shown as hexadecimal literals like before release 8.0.29. Any byte arrays longer than this value are interpolated generically as ** BYTE ARRAY DATA **.

  Bugs Fixed

  • X DevAPI: When parsing a string into a JSON string, some escape character sequences were not parsed properly, causing the Server to throw a com.mysql.cj.exceptions.WrongArgumentException when receiving the JSON value. This fix ensures that escape sequences are handled properly.
  • X DevAPI: When using the modify() method on JSON documents, any backslashes inside a literal to be used for the modification were lost. This fix corrects the mistakes in the expression parser that caused the issue.
  • Executing a PreparedStatment after applying setFetchSize(0) on it caused an ArrayIndexOutOfBoundsException.
  • Due to some old limitations, when used with Java applets, Connector/J found out the default character set on a system by various workarounds like reading the system property file.encoding, using an OutpuStreamWriter, etc. With this fix, Connector/J now uses Charset.defaultCharset(), the standard method for the purpose.

• Update to 8.0.30:

  Functionality Added or Changed

  • X DevAPI: For document-modifying methods that are chained after modify() and take a document path expression as one of its arguments (that is, set(), unset(), arrayInsert(), arrayAppend()), Connector/J now throws an error when the document path is empty or is a null string.

  Bugs Fixed

  • Historically, MySQL Server has used utf8 as an alias for utf8mb3. Since release 8.0.29, utf8mb3 has become a recognized (though deprecated) character set on its own for MySQL Server and to make things consistent, in release 8.0.30, any collations prefixed with utf8_ are now prefixed with utf8mb3_ instead. To go with that change, Connector/J has updated its character set and collation mapping accordingly in this release, and users are encouraged to update to Connector/J 8.0.30 to avoid potential issues when working with MySQL Server 8.0.30 or later.
  • A few links in the CONTRIBUTING.md file in the distribution packages were broken. They have now been fixed or removed.
  • The description for the connection property rewriteBatchedStatements has been corrected, removing the limitation that server-sided prepared statements could not take advantage of the rewrite option.
  • A spelling error has been fixed in the source file for the PropertyDefinitions class. Thanks to Weijie Wu for contributing the fix.
  • DatabaseMetaData.getTypeInfo always returned false for AUTO_INCREMENT for all data types. With this fix, Connector/J returns the correct value for each data type. Also, the missing types DOUBLE UNSIGNED and DOUBLE PRECISION UNSIGNED have been added to the ResultSet.
  • Contrary to the the MySQL requirement for comments, Connector/J did not require a whitespace (or a control character such as a newline) after '--' to mark the beginning of a comment within a SQL statement. This fix aligns Connector/J with the MySQL requirement.