oss-sec mailing list archives
Re: CVE request: Mysql/Mariadb insecure salt-usage
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 06 Dec 2012 01:49:46 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/05/2012 05:43 AM, Sergei Golubchik wrote:
Hi, Huzaifa! On Dec 05, Huzaifa Sidhpurwala wrote:Noticed another post by kingcope on full-disclosure, which basically boils down to re-use of a salt-value when transmitting passwords over a network. If you could MITM/capture network packets, you could use this weakness to determine the passwords. References: http://seclists.org/fulldisclosure/2012/Dec/58 https://bugzilla.redhat.com/show_bug.cgi?id=883719 Should this a CVE be assigned to this issue?https://mariadb.atlassian.net/browse/MDEV-3915 Regards, Sergei
Please use CVE-2012-5627 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQwFwqAAoJEBYNRVNeJnmTVl0QAJJZ5G5h2GxyLieUCGsa15HP KQ3uZU1KGZ2uGrueRRzZqbk+i5qP8P7eVwwZEq57lNJRZKYf++UXDRu0WGOn8A0A 6qgUjDphoqJBmK1hYDjpyO+/YY79p5mGAye3bUKZGs5bOUrYTGTE9MZealwo0+Ur En5veDhj0fcOgZGiiRcyz4EE4Zf43Cnq5FKs8ZRNvMqJwqoDTlAUnPCZ7v5v+Sb0 eNWNOpYC2BUld2Yorm/3wo46zt2nsVAL41r9IY7OmBWKS68yAeXCzXmNYYtiktoQ LQLIidqFWcPIOF90sD0IeSy01XRNUK+23Qed2JtV3YBbI8Wu0RS8IlsEJMV1j8Ik lzXQFleMIQ4JXdVeJXeTbTfnbc5ri8qZCkKduwzFq28jyXEPvXxnBMEmcQUUaMcL KimFSf6ur3eGK8WL3s1fXDh+asaHonsKLoYHEKmP0f+Td7/4fLjN+FjrjMhYxmec PDn+B1rMefsy3C/IWupy3HIINDXN23o/A0rsoQurycAsm1Z4FIrGP5VNZqmBhYO6 SP60nAWUqVk9hh6Z9rtZKkVkwYsk76Ac8i18Qs9mdL5y0hYVhPqjHKIq6NL/dk9A lkXVGd28w43SLcNHI2eG/XjZn7tQliu3p2O7Koj4rEYObzVp0JcnhZg17NzNz4PN jGICtk8EGou6cwwtzlXw =O9Xz -----END PGP SIGNATURE-----
Current thread:
- CVE request: Mysql/Mariadb insecure salt-usage Huzaifa Sidhpurwala (Dec 04)
- Re: CVE request: Mysql/Mariadb insecure salt-usage Sergei Golubchik (Dec 05)
- Re: CVE request: Mysql/Mariadb insecure salt-usage Kurt Seifried (Dec 06)
- Re: CVE request: Mysql/Mariadb insecure salt-usage Sergei Golubchik (Dec 05)