[debian-mysql] Bug#699886: TLS timing attack in yaSSL (Lucky 13)

Thijs Kinkhorst thijs at debian.org
Wed Feb 6 10:47:28 UTC 2013


Package: mysql-5.5
Severity: serious
Tags: security

Hi,

Nadhem Alfardan and Kenny Paterson have discovered a weakness in the handling
of CBC ciphersuites in SSL, TLS and DTLS. Their attack exploits timing
differences arising during MAC processing. Details of this attack can be
found at: http://www.isg.rhul.ac.uk/tls/

The issue has been fixed in upstream yaSSL 2.5.0:
http://www.yassl.com/yaSSL/Docs-cyassl-changelog.html

The generic protocol issue has been assigned CVE name CVE-2013-0169. The yaSSL
specific fix is known as CVE-2013-1623. Please mention these identifiers in 
the changelog.

Can you see to it that this issue is addressed in unstable and testing?


Cheers,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/attachments/20130206/6654744f/attachment.pgp>


More information about the pkg-mysql-maint mailing list