Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC

Bug 612922 (CVE-2017-3305)

Summary: dev-db/mysql: incorrect enforcement of ssl-mode=REQUIRED in MySQL 5.5 and 5.6
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: mysql-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2017/03/17/3
See Also: https://bugs.gentoo.org/show_bug.cgi?id=548132
Whiteboard: A3 [ebuild/upstream cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 625626    

Description Agostino Sarubbo gentoo-dev 2017-03-17 14:53:08 UTC
From ${URL} :

There is a new vulnerability in MySQL client versions 5.5 and 5.6 which 
is related to SSL/TLS encryption and to older BACKRONYM vulnerability.

As it is common, new vulnerability should have a name, logo and website. 
So enjoy the *Riddle* at http://riddle.link/

Affected are only Oracle's MySQL clients in all versions 5.5 and 5.6 
when SSL/TLS encryption is used. Verification of encryption parameters 
and existence of SSL/TLS layer by MySQL client is done *after* client 
successfully finish authentication.

For more details including mitigation, look at Technical section on 
vulnerability website: http://riddle.link/


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-03-17 22:43:15 UTC
Oracle implemented enforcement of ssl-mode=REQUIRED in response to CVE-2015-3152 which is bug 548132. However, the backport for 5.5.49 and 5.6.30 release is flawed:

It was found that MySQL client when specified to use SSL/TLS mode is authenticating to MySQL server not supporting SSL/TLS, client will fallback to plain text protocol used for authentication. After successful authentication client checks if SSL/TLS layer is required and if server doesn't support it, client will close the connection with error.

Active MITM attacker can downgrade SSL/TLS to plain text and forward nonce from server back to client. MITM attacker receive login data (for server nonce) from client and send it to server to authenticate as client.

This issue is present in libmysqlclient.so in 5.5 and 5.6 versions.

External References:

http://riddle.link/
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2017-08-15 04:40:08 UTC
Maintainers please confirm that this is fixed in Bug # 625626
Comment 3 Yury German Gentoo Infrastructure gentoo-dev Security 2017-09-04 01:28:10 UTC
Lets try this again: 
Maintainers please confirm that this is fixed in Bug # 625626