Date: Wed, 5 Jul 2017 10:11:48 +0200 From: Pali Rohár <pali.rohar@...il.com> To: oss-security@...ts.openwall.com Subject: CVE-2017-10789: DBD::mysql - mysql_ssl=1 does not enforce encryption Hi! I would like to announce another problem in DBD::mysql which affects only encryption between client and server. If you have fully trusted connection then you should not be affected. Perl DBD::mysql driver does not enforce SSL/TLS encryption when option mysql_ssl=1 is enabled. Enabling encryption depends on announcement from MySQL server what it supports which can man-in-the-middle attack spoof. DBD::mysql does not enforce SSL/TSL encryption even when certificate is specified via connection parameter mysql_ssl_ca_file. Therefore usage of SSL/TLS encryption in DBD::mysql is insecure. Similar problem had also libmysqlclient.so library, see CVE-2015-3152. http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-10789 -- Pali Rohár pali.rohar@...il.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.