Date: Wed, 5 Dec 2012 13:43:46 +0100 From: Sergei Golubchik <serg@...monty.org> To: oss-security@...ts.openwall.com Cc: Kurt Seifried <kseifried@...hat.com>, Jan Lieskovsky <jlieskov@...hat.com>, Huzaifa Sidhpurwala <huzaifas@...hat.com> Subject: Re: CVE request: Mysql/Mariadb insecure salt-usage Hi, Huzaifa! On Dec 05, Huzaifa Sidhpurwala wrote: > Noticed another post by kingcope on full-disclosure, which basically > boils down to re-use of a salt-value when transmitting passwords > over a network. > > If you could MITM/capture network packets, you could use this > weakness to determine the passwords. > > References: > http://seclists.org/fulldisclosure/2012/Dec/58 > https://bugzilla.redhat.com/show_bug.cgi?id=883719 > > Should this a CVE be assigned to this issue? https://mariadb.atlassian.net/browse/MDEV-3915 Regards, Sergei
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.