| Package | mysql-connector-python |
|---|---|
| Version | 2.1.6-1+deb9u1 (stretch) |
| Related CVEs | CVE-2019-2435 CVE-2024-21272 CVE-2025-21548 |
Multiple vulnerabilities have been discovered in mysql-connector-python, a Python implementation of the MySQL client/server protocol.
CVE-2019-2435
A vulnerability to man-in-the-middle attacks was discovered in the pure
Python implementation. MySQL clients connecting using TLS have not been
verifying the server name against the server certificate's common
name (CN) and subject alternative names (SANs).
CVE-2024-21272
Malicious strings can be injected when utilizing dictionary-based query
parameterization via the `cursor.execute()` API command and the C-based
implementation of the connector.
CVE-2025-21548
A possible RCE has been detected involving the MySQL Connector/Python
configuration files.
For Debian 9 stretch, these problems have been fixed in version 2.1.6-1+deb9u1.
We recommend that you upgrade your mysql-connector-python packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.