| Summary: | <dev-db/mariadb-10.0.20: SSL/TLS downgrade (CVE-2015-3152) | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | cyberbat <cyberbat83> |
| Component: | Current packages | Assignee: | Gentoo Linux bug wranglers <bug-wranglers> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | normal | ||
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.ocert.org/advisories/ocert-2015-003.html | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
Please search for duplicates and take note of our clear instructions when filing bugs: "Gentoo Linux: The Gentoo Linux Distribution – Ebuilds and System related issues … Examples for bugs that should >>>>>NOT<<<<< be filed here: Security updates (use Gentoo Security below)" *** This bug has been marked as a duplicate of bug 548132 *** |
The vulnerability lies within the behaviour of the '--ssl' client option, which on affected versions it is being treated as "advisory". Therefore while the option would attempt an SSL/TLS connection to be initiated towards a server, it would not actually require it. This allows a MITM attack to transparently "strip" the SSL/TLS protection. The issue affects the ssl client option whether used directly or triggered automatically by the use of other ssl options ('--ssl-xxx') that imply '--ssl'. Such behavior is clearly indicated in MySQL reference manual as follows: For the server, this option specifies that the server permits but does not require SSL connections. For a client program, this option permits but does not require the client to connect to the server using SSL. Therefore, this option is not sufficient in itself to cause an SSL connection to be used. For example, if you specify this option for a client program but the server has not been configured to permit SSL connections, an unencrypted connection is used. In a similar manner to the new '--ssl' option behaviour, users of the MySQL client library (Connector/C, libmysqlclient), as of MySQL 5.7.3, can take advantage of the MYSQL_OPT_SSL_ENFORCE option to enforce SSL/TLS connections.