Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 17 Mar 2017 15:54:40 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2017-3305 - The Riddle vulnerability in MySQL client (public disclosure)

On Fri, Mar 17, 2017 at 11:54:35AM +0100, Pali Roh??r wrote:
> There is a new vulnerability in MySQL client versions 5.5 and 5.6 which 
> is related to SSL/TLS encryption and to older BACKRONYM vulnerability.
> 
> As it is common, new vulnerability should have a name, logo and website. 
> So enjoy the *Riddle* at http://riddle.link/
> 
> Affected are only Oracle's MySQL clients in all versions 5.5 and 5.6 
> when SSL/TLS encryption is used. Verification of encryption parameters 
> and existence of SSL/TLS layer by MySQL client is done *after* client 
> successfully finish authentication.
> 
> For more details including mitigation, look at Technical section on 
> vulnerability website: http://riddle.link/

That's very nice, but per oss-security list content guidelines technical
detail should also be included in postings.  Attached as text/plain, for
archival.

http://oss-security.openwall.org/wiki/mailing-lists/oss-security#list-content-guidelines

Alexander

View attachment "riddle.txt" of type "text/plain" (13283 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.