Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 12 Jan 2018 15:10:23 +0100
From: Daniël van Eeden <daniel.vaneeden@...king.com>
To: dbi-dev@...l.org, oss-security@...ts.openwall.com
Subject: DBD::mysql and SSL/TLS

Hi,

I have some serious concerns about the state of SSL/TLS in DBD::mysql.

Issue 1: CVE-2017-10789 isn't fixed
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10789

Issue 2: Using DBD::mysql with MariaDB 10.0 or higher or MySQL 8.0 or
higher provides a false sense of security

SSL_LAST_VERIFY_VERSION is set to 50799.
Any version higher than that silently ignores mysql_ssl_verify_server_cert

This can lead to unencrypted connections even with strict SSL settings.

Issue 3: If SSL support is unavailable but ssl options are set then these
options are silently ignored.

issue 4: If compiled against MySQL 5.7 then SSL/TLS is used when available,
but can't be disabled. (mysql_ssl=0 is ignored).

This makes upgrading to 5.7 more difficult. And 5.7 is needed to get
support for TLSv1.1 and TLSv1.2.

There is a patch available for this:
https://github.com/perl5-dbi/DBD-mysql/pull/114


-- 
Daniël van Eeden
Database Administrator

Booking.com B.V.
Vijzelstraat 66-80 Amsterdam 1017HL Netherlands
Direct +31207033812
[image: Booking.com] <http://www.booking.com/>
The world's #1 accommodation site
43 languages, 187+ offices worldwide, 96,000+ global destinations,
1,200,000+ room nights booked every day
No booking fees, best price always guaranteed
Subsidiary of the Priceline Group (NASDAQ: PCLN)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ