Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 06 Dec 2012 01:49:46 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Sergei Golubchik <serg@...monty.org>, Jan Lieskovsky <jlieskov@...hat.com>,
        Huzaifa Sidhpurwala <huzaifas@...hat.com>
Subject: Re: CVE request: Mysql/Mariadb insecure salt-usage

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/05/2012 05:43 AM, Sergei Golubchik wrote:
> Hi, Huzaifa!
> 
> On Dec 05, Huzaifa Sidhpurwala wrote:
>> Noticed another post by kingcope on full-disclosure, which
>> basically boils down to re-use of a salt-value when transmitting
>> passwords over a network.
>> 
>> If you could MITM/capture network packets, you could use this 
>> weakness to determine the passwords.
>> 
>> References: http://seclists.org/fulldisclosure/2012/Dec/58 
>> https://bugzilla.redhat.com/show_bug.cgi?id=883719
>> 
>> Should this a CVE be assigned to this issue?
> 
> https://mariadb.atlassian.net/browse/MDEV-3915
> 
> Regards, Sergei

Please use CVE-2012-5627 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQwFwqAAoJEBYNRVNeJnmTVl0QAJJZ5G5h2GxyLieUCGsa15HP
KQ3uZU1KGZ2uGrueRRzZqbk+i5qP8P7eVwwZEq57lNJRZKYf++UXDRu0WGOn8A0A
6qgUjDphoqJBmK1hYDjpyO+/YY79p5mGAye3bUKZGs5bOUrYTGTE9MZealwo0+Ur
En5veDhj0fcOgZGiiRcyz4EE4Zf43Cnq5FKs8ZRNvMqJwqoDTlAUnPCZ7v5v+Sb0
eNWNOpYC2BUld2Yorm/3wo46zt2nsVAL41r9IY7OmBWKS68yAeXCzXmNYYtiktoQ
LQLIidqFWcPIOF90sD0IeSy01XRNUK+23Qed2JtV3YBbI8Wu0RS8IlsEJMV1j8Ik
lzXQFleMIQ4JXdVeJXeTbTfnbc5ri8qZCkKduwzFq28jyXEPvXxnBMEmcQUUaMcL
KimFSf6ur3eGK8WL3s1fXDh+asaHonsKLoYHEKmP0f+Td7/4fLjN+FjrjMhYxmec
PDn+B1rMefsy3C/IWupy3HIINDXN23o/A0rsoQurycAsm1Z4FIrGP5VNZqmBhYO6
SP60nAWUqVk9hh6Z9rtZKkVkwYsk76Ac8i18Qs9mdL5y0hYVhPqjHKIq6NL/dk9A
lkXVGd28w43SLcNHI2eG/XjZn7tQliu3p2O7Koj4rEYObzVp0JcnhZg17NzNz4PN
jGICtk8EGou6cwwtzlXw
=O9Xz
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.