Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2015-8838

ext/mysqlnd/mysqlnd.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 uses a client SSL option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152.

Related bugs and status

CVE-2015-8838 (Candidate) is related to these bugs:

Bug #1509817: libxml_disable_entity_loader is not theadsafe

Summary				In	Importance	Status
	1509817	libxml_disable_entity_loader is not theadsafe		php5 (Ubuntu)	Undecided	Fix Released
	1509817	libxml_disable_entity_loader is not theadsafe		php5 (Ubuntu Trusty)	Undecided	Fix Released

Bug #1564388: mysqlnd is vulnerable to BACKRONYM (CVE-2015-8838)

Summary				In	Importance	Status
	1564388	mysqlnd is vulnerable to BACKRONYM (CVE-2015-8838)		php5 (Ubuntu)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

CONFIRM: http://git.php.net/?p=...
CONFIRM: http://php.net/ChangeL...
CONFIRM: https://bugs.php.net/b...
SUSE: SUSE-SU-2016:1145
SUSE: SUSE-SU-2016:1166
SUSE: openSUSE-SU-2016:1167
SUSE: openSUSE-SU-2016:1173
UBUNTU: USN-2952-1
UBUNTU: USN-2952-2