Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 17 Mar 2017 11:54:35 +0100
From: Pali Rohár <>
Subject: CVE-2017-3305 - The Riddle vulnerability in MySQL client (public disclosure)


There is a new vulnerability in MySQL client versions 5.5 and 5.6 which 
is related to SSL/TLS encryption and to older BACKRONYM vulnerability.

As it is common, new vulnerability should have a name, logo and website. 
So enjoy the *Riddle* at

Affected are only Oracle's MySQL clients in all versions 5.5 and 5.6 
when SSL/TLS encryption is used. Verification of encryption parameters 
and existence of SSL/TLS layer by MySQL client is done *after* client 
successfully finish authentication.

For more details including mitigation, look at Technical section on 
vulnerability website:

Pali Rohár

Download attachment "signature.asc " of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.