Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 06 Dec 2012 01:49:46 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Sergei Golubchik <serg@...monty.org>, Jan Lieskovsky <jlieskov@...hat.com>,
        Huzaifa Sidhpurwala <huzaifas@...hat.com>
Subject: Re: CVE request: Mysql/Mariadb insecure salt-usage

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/05/2012 05:43 AM, Sergei Golubchik wrote:
> Hi, Huzaifa!
> 
> On Dec 05, Huzaifa Sidhpurwala wrote:
>> Noticed another post by kingcope on full-disclosure, which
>> basically boils down to re-use of a salt-value when transmitting
>> passwords over a network.
>> 
>> If you could MITM/capture network packets, you could use this 
>> weakness to determine the passwords.
>> 
>> References: http://seclists.org/fulldisclosure/2012/Dec/58 
>> https://bugzilla.redhat.com/show_bug.cgi?id=883719
>> 
>> Should this a CVE be assigned to this issue?
> 
> https://mariadb.atlassian.net/browse/MDEV-3915
> 
> Regards, Sergei

Please use CVE-2012-5627 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQwFwqAAoJEBYNRVNeJnmTVl0QAJJZ5G5h2GxyLieUCGsa15HP
KQ3uZU1KGZ2uGrueRRzZqbk+i5qP8P7eVwwZEq57lNJRZKYf++UXDRu0WGOn8A0A
6qgUjDphoqJBmK1hYDjpyO+/YY79p5mGAye3bUKZGs5bOUrYTGTE9MZealwo0+Ur
En5veDhj0fcOgZGiiRcyz4EE4Zf43Cnq5FKs8ZRNvMqJwqoDTlAUnPCZ7v5v+Sb0
eNWNOpYC2BUld2Yorm/3wo46zt2nsVAL41r9IY7OmBWKS68yAeXCzXmNYYtiktoQ
LQLIidqFWcPIOF90sD0IeSy01XRNUK+23Qed2JtV3YBbI8Wu0RS8IlsEJMV1j8Ik
lzXQFleMIQ4JXdVeJXeTbTfnbc5ri8qZCkKduwzFq28jyXEPvXxnBMEmcQUUaMcL
KimFSf6ur3eGK8WL3s1fXDh+asaHonsKLoYHEKmP0f+Td7/4fLjN+FjrjMhYxmec
PDn+B1rMefsy3C/IWupy3HIINDXN23o/A0rsoQurycAsm1Z4FIrGP5VNZqmBhYO6
SP60nAWUqVk9hh6Z9rtZKkVkwYsk76Ac8i18Qs9mdL5y0hYVhPqjHKIq6NL/dk9A
lkXVGd28w43SLcNHI2eG/XjZn7tQliu3p2O7Koj4rEYObzVp0JcnhZg17NzNz4PN
jGICtk8EGou6cwwtzlXw
=O9Xz
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ