[debian-mysql] Bug#699886: TLS timing attack in yaSSL (Lucky 13)
Thijs Kinkhorst
thijs at debian.org
Wed Feb 6 10:47:28 UTC 2013
Package: mysql-5.5
Severity: serious
Tags: security
Hi,
Nadhem Alfardan and Kenny Paterson have discovered a weakness in the handling
of CBC ciphersuites in SSL, TLS and DTLS. Their attack exploits timing
differences arising during MAC processing. Details of this attack can be
found at: http://www.isg.rhul.ac.uk/tls/
The issue has been fixed in upstream yaSSL 2.5.0:
http://www.yassl.com/yaSSL/Docs-cyassl-changelog.html
The generic protocol issue has been assigned CVE name CVE-2013-0169. The yaSSL
specific fix is known as CVE-2013-1623. Please mention these identifiers in
the changelog.
Can you see to it that this issue is addressed in unstable and testing?
Cheers,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/attachments/20130206/6654744f/attachment.pgp>
More information about the pkg-mysql-maint
mailing list