Summary: | dev-db/percona-server: SSL/TLS downgrade | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | mysql-bugs |
Priority: | Low | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2015/04/29/4 | ||
Whiteboard: | ~4 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-04-29 14:36:24 UTC
ping. MariaDB is already fixed in tree, I can't find any related info for Percona. MySQLConnector seems to be fixed and stable in tree. MySQL still needs a version bump, first fixed version is 5.7.3 and we have 5.6.37 in tree. @Maintainers could you please confirm and bump a new version if necessary? Gentoo Security Padawan ChrisADR (In reply to Christopher Díaz from comment #1) > ping. > > MariaDB is already fixed in tree, I can't find any related info for Percona. > > MySQLConnector seems to be fixed and stable in tree. > > MySQL still needs a version bump, first fixed version is 5.7.3 and we have > 5.6.37 in tree. > > @Maintainers could you please confirm and bump a new version if necessary? > > Gentoo Security Padawan > ChrisADR MySQL 5.7 will not be entering the tree any time soon. Are you sure that 5.6.37 doesn't have this fix? It is still security supported. From: https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-3.html#mysqld-5-7-3-security >Incompatible Change: Previously, the --ssl option has been treated as advisory: >When given, an encrypted connection was permitted but not required. Also, several >other --ssl-xxx options implied --ssl. Because of this, the option was usually not >used explicitly as --ssl, but in its negated form as --ssl=0, which prevents use >of encryption. This was true on both the client and server sides, and true for any >synonyms of --ssl (--ssl=1, --enable-ssl) or --ssl=0 (--skip-ssl, --disable-ssl). >Now the meaning of --ssl has changed on the client-side only. (There are no >secure-connection changes on the server side.) Seems it was not backported. Gentoo Security Padawan ChrisADR (In reply to Christopher Díaz from comment #3) > From: > > https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-3.html#mysqld-5-7-3- > security > > > >Incompatible Change: Previously, the --ssl option has been treated as advisory: > >When given, an encrypted connection was permitted but not required. Also, several > >other --ssl-xxx options implied --ssl. Because of this, the option was usually not > >used explicitly as --ssl, but in its negated form as --ssl=0, which prevents use > >of encryption. This was true on both the client and server sides, and true for any > >synonyms of --ssl (--ssl=1, --enable-ssl) or --ssl=0 (--skip-ssl, --disable-ssl). > > > >Now the meaning of --ssl has changed on the client-side only. (There are no > >secure-connection changes on the server side.) > > Seems it was not backported. > > Gentoo Security Padawan > ChrisADR I disagree with 5.6.36 Release Notes. The mysql_options() C API function now supports a MYSQL_OPT_SSL_MODE option. The only permitted option value is SSL_MODE_REQUIRED, to require an encrypted connection to the server. It causes mysql_real_connect() to fail if an encrypted connection cannot be obtained, without falling back to an unencrypted connection. Thus, mysql_real_connect() returns an error if the server does not support SSL or the client is not configured to use SSL. The client/server exchange terminates immediately after the initial server packet has been received if the server indicates that it does not support SSL. To require an encrypted connection in MySQL 5.6, the standard MySQL client programs call mysql_options() to set MYSQL_OPT_SSL_MODE if the --ssl-mode=REQUIRED command-line option was specified. Third-party applications that must be able to require encrypted connections can use the same technique. For details, see mysql_ssl_set(). Awesome, As this report is about percona-server and the current version is 5.6.37.x are we ready to mark it as resolved? Thank you very much. Gentoo Security Padawan ChrisADR |