oss-sec mailing list archives
Re: CVE-2017-3305 - The Riddle vulnerability in MySQL client (public disclosure)
From: Pali Rohár <pali.rohar () gmail com>
Date: Fri, 14 Apr 2017 12:37:50 +0200
On Friday 17 March 2017 11:54:35 Pali Rohár wrote:
Hi! There is a new vulnerability in MySQL client versions 5.5 and 5.6 which is related to SSL/TLS encryption and to older BACKRONYM vulnerability. As it is common, new vulnerability should have a name, logo and website. So enjoy the *Riddle* at http://riddle.link/ Affected are only Oracle's MySQL clients in all versions 5.5 and 5.6 when SSL/TLS encryption is used. Verification of encryption parameters and existence of SSL/TLS layer by MySQL client is done *after* client successfully finish authentication. For more details including mitigation, look at Technical section on vulnerability website: http://riddle.link/
Just to note that also last version 6.0.2 of MySQL Connector/C 6.0 series (which is still supported) is affected by this vulnerability. -- Pali Rohár pali.rohar () gmail com
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- Re: CVE-2017-3305 - The Riddle vulnerability in MySQL client (public disclosure) Pali Rohár (Apr 14)