chore(deps): update dependency mysql-connector-python to v9 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
mysql-connector-python (changelog)	<=8.0.16 -> <=9.1.0

GitHub Vulnerability Alerts

CVE-2024-21272

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/Python). Supported versions that are affected are 9.0.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

---

Release Notes

mysql/mysql-connector-python (mysql-connector-python)

v9.1.0

Compare Source

======

• WL#16452: Bundle all installable authentication plugins when building the C-extension
• WL#16444: Drop build support for DEB packages
• WL#16442: Upgrade gssapi version to 1.8.3
• WL#16411: Improve wheel metadata information for Classic and XDevAPI connectors
• WL#16341: OpenID Connect (Oauth2 - JWT) Authentication Support
• WL#16307: Remove Python 3.8 support
• WL#16306: Add support for Python 3.13
• BUG#37055435: Connection fails during the TLS negotiation when specifying TLSv1.3 ciphers
• BUG#37013057: mysql-connector-python Parameterized query SQL injection
• BUG#36765200: python mysql connector 8.3.0 raise %-.100s:%u when input a wrong host
• BUG#36577957: Update charset/collation description indicate this is 16 bits

v9.0.0

Compare Source

======

• WL#16350: Update dnspython version
• WL#16318: Deprecate Cursors Prepared Raw and Named Tuple
• WL#16284: Update the Python Protobuf version
• WL#16283: Remove OpenTelemetry Bundled Installation
• BUG#36664998: Packets out of order error is raised while changing user in aio
• BUG#36611371: Update dnspython required versions to allow latest 2.6.1
• BUG#36570707: Collation set on connect using C-Extension is ignored
• BUG#36476195: Incorrect escaping in pure Python mode if sql_mode includes NO_BACKSLASH_ESCAPES
• BUG#36289767: MySQLCursorBufferedRaw does not skip conversion

v8.4.0

Compare Source

======

• WL#16203: GPL License Exception Update
• WL#16173: Update allowed cipher and cipher-suite lists
• WL#16164: Implement support for new vector data type
• WL#16127: Remove the FIDO authentication mechanism
• WL#16053: Support GSSAPI/Kerberos authentication on Windows using authentication_ldap_sasl_client plug-in for C-extension
• BUG#36227964: Improve OpenTelemetry span coverage
• BUG#36167880: Massive memory leak mysqlx native Protobuf adding to collection

v8.3.0

Compare Source

======

• WL#16015: Remove use of removed COM_ commands
• WL#15985: Support GSSAPI/Kerberos authentication on Windows using authentication_ldap_sasl_client plug-in for Pure Python
• WL#15983: Stop using mysql_ssl_set api
• WL#15982: Remove use of mysql_shutdown
• WL#15950: Support query parameters for prepared statements
• WL#15942: Improve type hints and standardize byte type handling
• WL#15836: Split mysql and mysqlx into different packages
• WL#15523: Support Python DB API asynchronous execution
• BUG#35912790: Binary strings are converted when using prepared statements
• BUG#35832148: Fix Django timezone.utc deprecation warning
• BUG#35710145: Bad MySQLCursor.statement and result when query text contains code comments
• BUG#21390859: STATEMENTS GET OUT OF SYNCH WITH RESULT SETS

v8.2.0

Compare Source

======

• WL#15664: Add support for Python 3.12
• WL#15623: Improve the authentication module
• WL#15218: Support WebAuthn authentication
• BUG#35755852: Django config raise_on_warnings is ignored without isolation_level
• BUG#35733608: Server stmt spans right after the cnx aren't related to the connector's cnx span
• BUG#35547876: C/Python 8.1.0 type check build fails in the pb2 branch
• BUG#35544123: Kerberos unit tests configuration is outdated
• BUG#35503506: Query on information_schema.columns returns bytes
• BUG#35503377: First connected to server v8, then any v5 connections fail with utf8mb4 charset
• BUG#35141645: Memory leak in the mysqlx C extension

v8.1.0

Compare Source

======

• WL#15749: Remove DMG and MSI support
• WL#15672: Upgrade Python Protobuf version to 4.21.12
• WL#15630: Remove Python 3.7 support
• WL#15629: Add OpenTelemetry tracing
• WL#15591: Improve the network module
• BUG#35425076: Fix deallocating None error
• BUG#35349093: Compression doesn't work with C extension API
• BUG#35338384: PIP installs incompatible Connector/Python packages
• BUG#35318413: Fix charset mapping for MySQL 8.1.0
• BUG#35278365: Fix UnicodeDecodeError with a long field name alias (c-ext)
• BUG#35212199: Check for identifier quotes in the database name
• BUG#35140271: Regex split hanging in cursor.execute(..., multi=True) for complex queries
• BUG#29115406: CONTRIBUTION - FIX RECV COMPRESS BUG

v8.0.33

Compare Source

=======

• WL#15528: Add docker build/test support for existing server
• WL#15483: Support OCI ephemeral key-based authentication
• WL#15435: Improve the logging system
• WL#15401: Support for type hints in module mysqlx
• BUG#35233031: Connector/Python should not default to mysql_native_password
• BUG#35015758: COM_QUIT should not be called in the connection phase
• BUG#34984850: Fix binary conversion with NO_BACKSLASH_ESCAPES mode
• BUG#31355895: Fix slow executemany() with insert statements
• BUG#30103652: Connector/Python ClientFlag SESION_TRACK is a misspelling
• BUG#27489972: Several COM_% commands have been deprecated
• BUG#27359063: Support for dictionary, named_tuple, and raw to prepared statements cursor
• BUG#21476351: Too small chunks when sending huge parameters with COM_STMT_SEND_LONG_DATA

v8.0.32

Compare Source

=======

• WL#15348: Support MIT Kerberos library on Windows
• WL#15036: Support for type hints
• WL#14861: Remove distutils support
• BUG#34773422: Connector/Python 8.0.31 installation fails if Python version is 3.11.0
• BUG#34727432: Fix Django datetime error when USE_TZ=True in settings
• BUG#34710366: Django implementation does not pass unit tests
• BUG#34695103: Remove debug messages that shows authentication data
• BUG#34690501: Connector/Python depends on outdated protobuf
• BUG#34689812: Fix datetime conversion when using prepared cursors
• BUG#34675508: Character set 'utf8' unsupported in python mysql connector when using MariaDB
• BUG#34655520: Wrong MySQLCursor.statement values in the results of cursor.execute(..., multi=True)
• BUG#34556157: Kerberos authorization fails when using SSPI as security interface
• BUG#34499578: MySQLCursor.executemany() fails to correctly identify BULK data loading ops
• BUG#34467201: Add init_command connection option
• BUG#33904362: mysqlx (X DevAPI) does not work properly with Russian characters
• BUG#32625155: Tests fail against group replication cluster
• BUG#30089671: Fix decoding VARBINARY columns when using a prepared cursor
• BUG#28020811: Fix multiple reference leaks in the C extension
• BUG#27426532: Reduce callproc roundtrip time
• BUG#24364556: Improve warning behavior
• BUG#23342572: Allow dictionaries as parameters in prepared statements
• BUG#23339387: Add MySQLCursorPreparedDict option
• BUG#22906307: MySQLConverter.escape() does not work for dates
• BUG#20504804: cursor.executemany() fails with INSERT IGNORE

v8.0.31

Compare Source

=======

• WL#15156: Add support for Python 3.11
• BUG#34373612: Fix the assumption that gcc is the default compiler
• BUG#34283402: Binary data starting with 0x00 are returned as empty string
• BUG#34217492: Exec of stored procedures with args fails when db prefix used
• BUG#33987119: TEXT and with a _bin collation (e.g: utf8mb4_bin) are considered as bytes object
• BUG#28491115: Connector/Python crashes on 0 time value
• BUG#28295478: Align exception types raised by pure Python and c-ext
• BUG#27634910: Add warning count method to cursors
• BUG#21529893: Resultset handling not proper in C-Python with c-ext
• BUG#21463298: Fix weakly-referenced object no longer exists exception
• BUG#21402805: Unbound local error when charset name is given as empty to set_charset_collation()

v8.0.30

Compare Source

=======

• WL#15212: Update collation mappings
• WL#15151: Increase to 88 characters per line
• WL#15137: Fix linting issues
• WL#15035: Enforce PEP 7 and PEP 8 coding style
• WL#14822: Refactor the authentication plugin mechanism
• WL#14815: Support OpenSSL 3.0
• BUG#34260344: Disallow empty strings in collection fields
• BUG#34231226: Generated classes do not work with the latest Protobuf
• BUG#34228442: Fix NO_BACKSLASH_ESCAPES SQL mode support in c-ext
• BUG#34223015: Invalidate the usage of non-compatible cursor types
• BUG#34127959: Add isolation level support in Django backend
• BUG#33923516: Allow tuple of dictionaries as "failover" argument
• BUG#28821983: Fix rounding errors for decimal values
• BUG#28295504: Disable SSL when using Unix socket connections

v8.0.29

Compare Source

=======

• WL#14860: Support FIDO authentication (c-ext)
• WL#14852: Align TLS option checking across connectors
• WL#14824: Remove Python 3.6 support
• WL#14679: Allow custom class for data type conversion in Django backend
• WL#14665: SSPI Kerberos authentication for Windows (pure-python)
• BUG#33861549: Replace SHOW VARIABLES inefficient statements
• BUG#33747585: Fix error when using an expression as a column without an alias
• BUG#33729842: Character set 'utf8mb3' support
• BUG#33481203: OverflowError for MySQL BIGINT on c-ext
• BUG#33203161: Exception is thrown on close connection with pooling
• BUG#30203754: Prepared stmt fails on cext with BIGINTS
• BUG#28877987: Return bytes or bytearray if decoding fails
• BUG#27634914: Remove mention of unsupported functionality in Session docstring
• BUG#23338623: Add support for Decimal parsing in protocol.py
• BUG#23324748: Guarantee file closing of input files in optionfile
• BUG#21528553: Fix API inconsistency when using consume_results=True
• BUG#21498719: Fix conversion of Python bytearray (c-ext)
• BUG#20065830: NaN is not supported

v8.0.28

Compare Source

=======

• WL#14814: Remove support for TLS 1.0 and 1.1
• WL#14813: Add support for Python 3.10
• WL#14720: Support for Multi Factor authentication (pure Python)
• WL#14667: Support for Multi Factor authentication (c-ext)
• BUG#33486094: Stored value in Decimal field is returned as str on prepared pure python cursor
• BUG#33410592: Fix compiler warnings
• BUG#33409819: Fix failure when using a conversion class in CMySQLConnection
• BUG#27358941: Invalid types for params silently ignored in execute method

v8.0.27

Compare Source

=======

• WL#14710: Support OCI IAM authentication
• WL#14689: Fallback conversion to str for types incompatible with MySQL
• WL#14664: Allow SSPI Kerberos library usage with c-ext
• BUG#33177337: Connection with chained SSL certs fails with ssl_verify_identity
• BUG#28641350: mysqlx.result.Row objects cannot be printed directly

v8.0.26

Compare Source

=======

• WL#14634: Running unit tests against external server
• WL#14542: Deprecate TLS 1.0 and 1.1
• WL#14440: Support for authentication_kerberos_client authentication plugin
• WL#14306: Integrate QA tests into Connector/Python test suite
• WL#14237: Support query attributes
• BUG#32947160: Remove MySQLdb module dependency from Django backend
• BUG#32838010: Fix option files parsing with include directive
• BUG#32789076: MSI is missing required libraries to use auth_ldap_client plugin
• BUG#32778827: Raise an error if the _id is different when replacing a document
• BUG#32740486: Fix typo in docstring
• BUG#32623479: The X DevAPI returns str for binary types values
• BUG#32585611: Fix broken links in X DevAPI reference documentation search
• BUG#31528783: Fix number with ZEROFILL not handled by C extension

v8.0.25

Compare Source

=======

This release contains no functional changes and is published to align
the version number with the MySQL Server 8.0.25 release.

v8.0.24

Compare Source

=======

• WL#14424: Improve timeout error messages
• WL#14240: Remove Python 3.5 support
• WL#14239: Remove Python 2.7 support
• WL#14212: Support connection close notification
• WL#14027: Add support for Python 3.9
• BUG#32532744: MSI destination folder page lacks details of what installs
• BUG#32497631: Prepared statements fail when parameters are not given
• BUG#32496788: Prepared statements accepts any type of parameters
• BUG#32435181: Add support for Django 3.2
• BUG#32162928: Change user command fails on pure python implementation
• BUG#32120659: Prepared statements w/o parameters violates MySQL protocol
• BUG#32039427: Remove python 3.4 support in MSI packaging
• BUG#32029891: Add context manager support for pooled connections
• BUG#31490101: Fix wrong cast of Python unicode to std::string
• BUG#31315173: Added documentation for multi-host and failover
• BUG#30416704: Binary columns returned as strings

v8.0.23

Compare Source

=======

• WL#14263: Add support for SCRAM-SHA-256
• WL#14238: Deprecate Python 2.7 support
• WL#14215: Replace language in APIs and source code/docs
• WL#14213: Support GSSAPI - Kerberos auth
• BUG#32165864: Fix segmentation fault when using invalid SQL with prepared statements
• BUG#31882419: Fix error when getting the connection ID from a CMySQLConnection
• BUG#29195610: Fix cursor.callproc() using namedtuple and dictionary cursors
• BUG#26834307: Make cursor.fetchone() and cursor.fetchmany() PEP 249 compliant
• BUG#24938411: Fix datetime microsecond conversion

v8.0.22

Compare Source

=======

• WL#14110: Add support for SCRAM-SHA-1
• WL#14098: Add option to specify LOAD DATA LOCAL IN PATH
• WL#13997: Refactoring of the building system
• WL#13995: Add support for configurable compression levels
• WL#13994: Support clear text passwords
• WL#13380: Add support for Django 3.0
• BUG#31335275: Fix memory leak when using the Decimal data type
• BUG#31267800: Include copyright header in the modules generated by protoc
• BUG#27535063: Fix wrong error message when specifying the collation for a non TEXT field
• BUG#20811567: Support use_pure option in config_files

v8.0.21

Compare Source

=======

• WL#13847: Add support for context managers
• WL#13059: Add schema validation support
• WL#12501: Connection compression
• BUG#31098686: Unittests for CMD_CHANGE_USER does not cover CMySQLConnection defaults
• BUG#31060730: Skip pure Python tests if Protobuf is not available
• BUG#30996790: Fix connect_timeout option behavior
• BUG#30950184: Fix error when using the fractional part in DATETIME
• BUG#29808262: Fix BLOB types conversion
• BUG#29181907: Fix discovering of MySQL libraries
• BUG#28627768: JSON_REPLACE not working correctly for SQL tables
• BUG#27602636: Expressions in Table.update.set() raises an exception
• BUG#27489937: Support for connection pools in the C extension

v8.0.20

Compare Source

=======

• WL#13334: Connector support for failover and load-balancing
• BUG#30643277: Add missing raise statement when queue is full
• BUG#30608703: Fix fetchmany when the last fetch is not a full batch

v8.0.19

Compare Source

=======

• WL#13531: Remove xplugin namespace
• WL#13372: DNS SRV support
• WL#12738: Specify TLS ciphers to be used by a client or session
• BUG#30270760: Fix reserved filed should have a length of 22
• BUG#29417117: Close file in handle load data infile

v8.0.18

Compare Source

=======

• WL#13330: Single C/Python (Win) MSI installer
• WL#13335: Connectors should handle expired password sandbox without SET operations
• WL#13194: Add support for Python 3.8
• BUG#29909157: Table scans of floats causes memory leak with the C extension
• BUG#25349794: Add read_default_file alias for option_files in connect()

v8.0.17

Compare Source

=======

• WL#13155: Support new utf8mb4 bin collation
• WL#12737: Add overlaps and not_overlaps as operator
• WL#12735: Add README.rst and CONTRIBUTING.rst files
• WL#12227: Indexing array fields
• WL#12085: Support cursor prepared statements with C extension
• BUG#29855733: Fix error during connection using charset and collation combination
• BUG#29833590: Calling execute() should fetch active results
• BUG#21072758: Support for connection attributes classic

v8.0.16

Compare Source

=======

• WL#12864: Upgrade of Protobuf version to 3.6.1
• WL#12863: Drop support for Django versions older than 1.11
• WL#12489: Support new session reset functionality
• WL#12488: Support for session-connect-attributes
• WL#12297: Expose metadata about the source and binaries
• WL#12225: Prepared statement support
• BUG#29324966: Add missing username connection argument for driver compatibility
• BUG#29278489: Fix wrong user and group for Solaris packages
• BUG#29001628: Fix access by column label in Table.select()
• BUG#28479054: Fix Python interpreter crash due to memory corruption
• BUG#27897881: Empty LONG BLOB throws an IndexError

v8.0.15

Compare Source

=======

• BUG#29260128: Disable load data local infile by default

v8.0.14

Compare Source

=======

• WL#12607: Handling of Default Schema
• WL#12493: Standardize count method
• WL#12492: Be prepared for initial notice on connection
• BUG#28646344: Remove expression parsing on values
• BUG#28280321: Fix segmentation fault when using unicode characters in tables
• BUG#27794178: Using use_pure=False should raise an error if cext is not available
• BUG#27434751: Add a TLS/SSL option to verify server name

v8.0.13

Compare Source

=======

• WL#12239: Add support for Python 3.7
• WL#12226: Implement connect timeout
• WL#11897: Implement connection pooling for xprotocol
• BUG#28278352: C extension mysqlx Collection.add() leaks memory in sequential calls
• BUG#28037275: Missing bind parameters causes segfault or unclear error message
• BUG#27528819: Support special characters in the user and password using URI

v8.0.12

Compare Source

=======

• WL#11951: Consolidate discrepancies between pure and c extension
• WL#11932: Remove Fabric support
• WL#11898: Core API v1 alignment
• BUG#28188883: Use utf8mb4 as the default character set
• BUG#28133321: Fix incorrect columns names representing aggregate functions
• BUG#27962293: Fix Django 2.0 and MySQL 8.0 compatibility issues
• BUG#27567999: Fix wrong docstring in ModifyStatement.patch()
• BUG#27277937: Fix confusing error message when using an unsupported collation
• BUG#26834200: Deprecate Row.get_string() method
• BUG#26660624: Fix missing install option in documentation

v8.0.11

Compare Source

=======

• WL#11668: Add SHA256_MEMORY authentication mechanism
• WL#11614: Enable C extension by default
• WL#11448: New document _id generation support
• WL#11282: Support new locking modes NOWAIT and SKIP LOCKED
• BUG#27639119: Use a list of dictionaries to store warnings
• BUG#27634885: Update error codes for MySQL 8.0.11
• BUG#27589450: Remove upsert functionality from WriteStatement class
• BUG#27528842: Fix internal queries open for SQL injection
• BUG#27364914: Cursor prepared statements do not convert strings
• BUG#24953913: Fix failing unittests
• BUG#24948205: Results from JSON_TYPE() are returned as bytearray
• BUG#24948186: JSON type results are bytearray instead of corresponding python type

v8.0.6

Compare Source

======

• WL#11372: Remove configuration API
• WL#11303: Remove CreateTable and CreateView
• WL#11281: Transaction savepoints
• WL#11278: Collection.create_index
• WL#11149: Create Pylint test for mysqlx
• WL#11142: Modify/MergePatch
• WL#11079: Add support for Python 3.6

v8.0.5

Compare Source

======

• WL#11073: Add caching_sha2_password authentication plugin
• WL#10975: Add Single document operations
• WL#10974: Add Row locking methods to find and select operations
• WL#10973: Allow JSON types as operands for IN operator
• WL#10899: Add support for pure Python implementation of Protobuf
• WL#10771: Add SHA256 authentication
• WL#10053: Configuration handling interface

v2.0.4

Compare Source

v2.0.3

Compare Source

v2.0.2

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.