https://bugzilla.redhat.com/show_bug.cgi?id=1467606
Bug ID: 1467606 Summary: CVE-2017-10789 perl-DBD-MySQL: Possible MITM attack when mysql_ssl=1 Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: amaris@redhat.com CC: hhorak@redhat.com, jorton@redhat.com, jplesnik@redhat.com, perl-devel@lists.fedoraproject.org, perl-maint-list@redhat.com, ppisar@redhat.com, psabata@redhat.com
The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 setting to mean that SSL is optional (even though this setting's documentation has a "your communication with the server will be encrypted" statement), which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152.
Upstream bug:
https://github.com/perl5-dbi/DBD-mysql/issues/140
https://bugzilla.redhat.com/show_bug.cgi?id=1467606
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1467607 Depends On| |1467608
--- Comment #1 from Adam Mariš amaris@redhat.com --- Created perl-DBD-MySQL tracking bugs for this issue:
Affects: fedora-all [bug 1467608]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1467608 [Bug 1467608] CVE-2017-10788 CVE-2017-10789 perl-DBD-MySQL: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1467606
Stefan Cornelius scorneli@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0701,reported=20170701,sour |0701,reported=20170701,sour |ce=cve,cvss3=6.8/CVSS:3.0/A |ce=cve,cvss3=6.8/CVSS:3.0/A |V:N/AC:H/PR:N/UI:R/S:U/C:H/ |V:N/AC:H/PR:N/UI:R/S:U/C:H/ |I:H/A:N,cwe=CWE-300,rhel-5/ |I:H/A:N,cwe=CWE-300,rhel-5/ |perl-DBD-MySQL=new,rhel-6/p |perl-DBD-MySQL=wontfix,rhel |erl-DBD-MySQL=new,rhel-7/pe |-6/perl-DBD-MySQL=wontfix,r |rl-DBD-MySQL=new,rhscl-2/rh |hel-7/perl-DBD-MySQL=wontfi |-perl520-perl-DBD-MySQL=new |x,rhscl-2/rh-perl520-perl-D |,rhscl-2/rh-perl524-perl-DB |BD-MySQL=wontfix,rhscl-2/rh |D-MySQL=new,fedora-all/perl |-perl524-perl-DBD-MySQL=won |-DBD-MySQL=affected |tfix,fedora-all/perl-DBD-My | |SQL=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1467606
Stefan Cornelius scorneli@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX Last Closed| |2017-08-31 04:39:05
https://bugzilla.redhat.com/show_bug.cgi?id=1467606
--- Comment #3 from Stefan Cornelius scorneli@redhat.com --- Statement:
Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
https://bugzilla.redhat.com/show_bug.cgi?id=1467606 Bug 1467606 depends on bug 1467608, which changed state.
Bug 1467608 Summary: CVE-2017-10788 CVE-2017-10789 perl-DBD-MySQL: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1467608
What |Removed |Added ---------------------------------------------------------------------------- Status|MODIFIED |CLOSED Resolution|--- |EOL
https://bugzilla.redhat.com/show_bug.cgi?id=1467606 Bug 1467606 depends on bug 1467608, which changed state.
Bug 1467608 Summary: CVE-2017-10788 CVE-2017-10789 perl-DBD-MySQL: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1467608
What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |NEW Resolution|EOL |---
https://bugzilla.redhat.com/show_bug.cgi?id=1467606 Bug 1467606 depends on bug 1467608, which changed state.
Bug 1467608 Summary: CVE-2017-10788 CVE-2017-10789 perl-DBD-MySQL: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1467608
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WORKSFORME
perl-devel@lists.fedoraproject.org