Ubuntu
mysql-8.0 package

8.0.28-0ubuntu0.20.04.3 Breaks SSL Connectivity to MySQL < 5.7

Bug #1960291 reported by Daniel Morante
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mysql-8.0 (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

The MySQL client packages were automatically upgraded from `8.0.27-0ubuntu0.20.04.1` to `8.0.28-0ubuntu0.20.04.3`.

```
Start-Date: 2022-02-05 06:00:06
Commandline: /usr/bin/unattended-upgrade
Upgrade: libmysqlclient-dev:amd64 (8.0.27-0ubuntu0.20.04.1, 8.0.28-0ubuntu0.20.04.3), libmysqlclient21:amd64 (8.0.27-0ubuntu0.20.04.1, 8.0.28-0ubuntu0.20.04.3)
End-Date: 2022-02-05 06:00:08
```

This broke the workaround that is currently in place as suggested by comment #36 and #37 on https://bugs.launchpad.net/ubuntu/+source/mysql-8.0/+bug/1872541

```

The impact was significant (in my case), in that it prevented Postfix from processing mail, causing all sorts of grief.

```
Feb 8 06:32:35 mail.outbound.redacted.tld postfix/smtpd[1911139]: warning: connect to mysql server database.server.internal.tld: SSL connection error: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
```

I had to locate, download, and install the older packages from https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/22330183

There is a plan to upgrade MySQL/AWS RDS to a newer version but this was an unexpected change for an LTS version of the OS. Is the workaround mentioned no longer feasible?

```
lsb_release -rd
Description: Ubuntu 20.04.3 LTS
Release: 20.04
```

See original description
Daniel Morante (tuaris)
description: updated
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

Hi Daniel,

Thanks for taking the time to report this issue.

As per mysql 8.0.28 release notes [1], Support for the TLSv1 and TLSv1.1 connection protocols, which were deprecated since 8.0.26, was removed.

The reason for the bump can be found in the package changelog in [2]. There you will find that several CVEs were addressed with that update. It is likely that the security team did consider backporting the patches to fix those, but there are times when it ends up making more sense to introduce a new version to patch those CVEs.

I am subscribing the security team to this bug.

[1] https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-28.html#mysqld-8-0-28-feature
[2] https://launchpad.net/ubuntu/+source/mysql-8.0/8.0.28-0ubuntu0.20.04.3

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Unfortunately, as Oracle does not provide details on the exact security issues that get CVEs assigned, we are unable to backport patches for MySQL and are forced to update to newer MySQL releases.

The removal of TLSv1 and TLSv1.1 is an upstream change in MySQL 8.0.28.

Unfortunately, pinning an older version of MySQL in your apt configuration is the only way to prevent the insecure protocols from being removed, at the expense of not getting the other MySQL security fixes.

Since there is no action we can take to resolve this issue, I am marking this bug as Won't Fix.

Changed in mysql-8.0 (Ubuntu):
status: New → Won't Fix
Revision history for this message
Robie Basak (racb) wrote :

Not to contradict anything said above, I'm just tagging regression-update while leaving this bug Won't Fix for record keeping purposes.

tags: added: regression-update
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.