Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 554480 - <dev-db/mariadb-10.0.20: SSL/TLS downgrade (CVE-2015-3152)
Summary: <dev-db/mariadb-10.0.20: SSL/TLS downgrade (CVE-2015-3152)
Status: RESOLVED DUPLICATE of bug 548132
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Linux bug wranglers
Depends on:
Reported: 2015-07-11 09:15 UTC by cyberbat
Modified: 2015-07-11 10:20 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description cyberbat 2015-07-11 09:15:28 UTC
The vulnerability lies within the behaviour of the '--ssl' client option, which on affected versions it is being treated as "advisory". Therefore while the option would attempt an SSL/TLS connection to be initiated towards a server, it would not actually require it. This allows a MITM attack to transparently "strip" the SSL/TLS protection.

The issue affects the ssl client option whether used directly or triggered automatically by the use of other ssl options ('--ssl-xxx') that imply '--ssl'.

Such behavior is clearly indicated in MySQL reference manual as follows:

    For the server, this option specifies that the server permits but does not require
    SSL connections.

    For a client program, this option permits but does not require the client to
    connect to the server using SSL. Therefore, this option is not sufficient in
    itself to cause an SSL connection to be used. For example, if you specify this
    option for a client program but the server has not been configured to permit
    SSL connections, an unencrypted connection is used.

In a similar manner to the new '--ssl' option behaviour, users of the MySQL client library (Connector/C, libmysqlclient), as of MySQL 5.7.3, can take advantage of the MYSQL_OPT_SSL_ENFORCE option to enforce SSL/TLS connections.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-11 10:20:16 UTC
Please search for duplicates and take note of our clear instructions when filing bugs:

"Gentoo Linux: 	The Gentoo Linux Distribution – Ebuilds and System related issues
Examples for bugs that should >>>>>NOT<<<<< be filed here:
Security updates (use Gentoo Security below)"

*** This bug has been marked as a duplicate of bug 548132 ***