Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 14 Apr 2017 12:37:50 +0200
From: Pali Rohár <pali.rohar@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2017-3305 - The Riddle vulnerability in MySQL client (public disclosure)

On Friday 17 March 2017 11:54:35 Pali Rohár wrote:
> Hi!
> 
> There is a new vulnerability in MySQL client versions 5.5 and 5.6
> which is related to SSL/TLS encryption and to older BACKRONYM
> vulnerability.
> 
> As it is common, new vulnerability should have a name, logo and
> website. So enjoy the *Riddle* at http://riddle.link/
> 
> Affected are only Oracle's MySQL clients in all versions 5.5 and 5.6
> when SSL/TLS encryption is used. Verification of encryption
> parameters and existence of SSL/TLS layer by MySQL client is done
> *after* client successfully finish authentication.
> 
> For more details including mitigation, look at Technical section on
> vulnerability website: http://riddle.link/

Just to note that also last version 6.0.2 of MySQL Connector/C 6.0 
series (which is still supported) is affected by this vulnerability.

-- 
Pali Rohár
pali.rohar@...il.com

Download attachment "signature.asc " of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.