Date: Fri, 17 Mar 2017 11:54:35 +0100 From: Pali Rohár <pali.rohar@...il.com> To: oss-security@...ts.openwall.com Subject: CVE-2017-3305 - The Riddle vulnerability in MySQL client (public disclosure) Hi! There is a new vulnerability in MySQL client versions 5.5 and 5.6 which is related to SSL/TLS encryption and to older BACKRONYM vulnerability. As it is common, new vulnerability should have a name, logo and website. So enjoy the *Riddle* at http://riddle.link/ Affected are only Oracle's MySQL clients in all versions 5.5 and 5.6 when SSL/TLS encryption is used. Verification of encryption parameters and existence of SSL/TLS layer by MySQL client is done *after* client successfully finish authentication. For more details including mitigation, look at Technical section on vulnerability website: http://riddle.link/ -- Pali Rohár pali.rohar@...il.com [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ