Bug#866821: libdbd-mysql-perl: CVE-2017-10789
Guido Günther
agx at sigxcpu.org
Mon Aug 28 12:53:12 UTC 2017
Hi,
On Sun, Jul 02, 2017 at 09:26:07AM +0200, Salvatore Bonaccorso wrote:
> Source: libdbd-mysql-perl
> Version: 4.028-2
> Severity: important
> Tags: security upstream
>
> Hi,
>
> the following vulnerability was published for libdbd-mysql-perl.
>
> CVE-2017-10789[0]:
> | The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1
> | setting to mean that SSL is optional (even though this setting's
> | documentation has a "your communication with the server will be
> | encrypted" statement), which allows man-in-the-middle attackers to
> | spoof servers via a cleartext-downgrade attack, a related issue to
> | CVE-2015-3152.
>
> Related upstream report handling this as a subtask at [1] and
> respective pull request with fixes for the issues discussed in [1] at
> [2].
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2017-10789
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10789
> [1] https://github.com/perl5-dbi/DBD-mysql/issues/110
> [2] https://github.com/perl5-dbi/DBD-mysql/pull/114
While a patch for this was upstream in 4.042 (around
b6be72f321e920419bdc5c86998d9b9cb26c6791) upstream reverted _all_
changes of back to 4.041.
More information about the pkg-perl-maintainers
mailing list