Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 5 Jul 2017 10:11:48 +0200
From: Pali Rohár <pali.rohar@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2017-10789: DBD::mysql - mysql_ssl=1 does not enforce encryption

Hi! I would like to announce another problem in DBD::mysql which affects
only encryption between client and server. If you have fully trusted
connection then you should not be affected.

Perl DBD::mysql driver does not enforce SSL/TLS encryption when option
mysql_ssl=1 is enabled. Enabling encryption depends on announcement from
MySQL server what it supports which can man-in-the-middle attack spoof.
DBD::mysql does not enforce SSL/TSL encryption even when certificate is
specified via connection parameter mysql_ssl_ca_file.

Therefore usage of SSL/TLS encryption in DBD::mysql is insecure.

Similar problem had also libmysqlclient.so library, see CVE-2015-3152.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-10789

-- 
Pali Rohár
pali.rohar@...il.com

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ