Bug 320947 (CVE-2009-4833)

Summary:	dev-dotnet/mysql-connector-net: MITM (CVE-2009-4833)
Product:	Gentoo Security	Reporter:	Stefan Behte (RETIRED) <craig>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	dotnet, jurek
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://bugs.mysql.com/bug.php?id=38700
Whiteboard:	~4 [noglsa]
Package list:		Runtime testing required:	---

Description Stefan Behte (RETIRED) gentoo-dev

2010-05-21 21:25:39 UTC

CVE-2009-4833 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4833):
  MySQL Connector/NET before 6.0.4, when using encryption, does not
  verify SSL certificates during connection, which allows remote
  attackers to perform a man-in-the-middle attack with a spoofed SSL
  certificate.

Comment 1 Stefan Behte (RETIRED) gentoo-dev

2010-05-21 21:28:36 UTC

Our in-tree version is extremly dusty. We have 1.0.9, the current one is 6.2.3!

Comment 2 Alistair Bush (RETIRED) gentoo-dev

2010-07-14 11:33:07 UTC

I have bumped mysql-connector-net to 6.2.3 so this can probably be closed.

All ebuilds were ~arch so I wouldn't have thought security would have been involved.

Comment 3 Alex Legler (RETIRED) archtester

2010-07-14 12:54:09 UTC

Thanks. Closing noglsa