Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 14 Apr 2017 12:37:50 +0200
From: Pali Rohár <pali.rohar@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2017-3305 - The Riddle vulnerability in MySQL client (public disclosure)

On Friday 17 March 2017 11:54:35 Pali Rohár wrote:
> Hi!
> 
> There is a new vulnerability in MySQL client versions 5.5 and 5.6
> which is related to SSL/TLS encryption and to older BACKRONYM
> vulnerability.
> 
> As it is common, new vulnerability should have a name, logo and
> website. So enjoy the *Riddle* at http://riddle.link/
> 
> Affected are only Oracle's MySQL clients in all versions 5.5 and 5.6
> when SSL/TLS encryption is used. Verification of encryption
> parameters and existence of SSL/TLS layer by MySQL client is done
> *after* client successfully finish authentication.
> 
> For more details including mitigation, look at Technical section on
> vulnerability website: http://riddle.link/

Just to note that also last version 6.0.2 of MySQL Connector/C 6.0 
series (which is still supported) is affected by this vulnerability.

-- 
Pali Rohár
pali.rohar@...il.com

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ