© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
This morning we received a report from oCERT which is being treated as a public security issue in the MySQL client.
In short it is possible for the MySQL client to silently fall back on a non SSL connection instead of aborting the connection, and as such communication will not be encrypted "in flight", this is known documented behaviour,
This is now being assigned a CVE and an advisory is set for release April 29th, the body of the original notification follows.
---
oCERT recently received a report from Adam Goodman, Principal Security
Architect at Duo Security, concerning a security issue on MySQL client code.
This issue affects MariaDB, and very likely Percona. as well and is related
to https:/
The issue concerns the impossibility for MySQL/MariaDB users (with any major
stable version) to enforce an SSL connection without possibility for a MITM
attach to perform a malicious downgrade.
The issue affects MySQL versions before 5.7.3. However, these fixes have not
been back-ported to previous major versions (5.5, 5.6, etc.), and MySQL 5.7
is not yet considered a stable release. Situation should be similar with
MariaDB.
Therefore the vast majority of MySQL/MariaDB users:
a) have no ability to enforce SSL use, except by patching code or
performing a major-version upgrade to a development release, and
b) are probably not aware of this limitation
The following links clearly illustrate the issue:
https:/
http://
http://
While technically this is documented behaviour, it represents a pretty bad
one and the feeling is that most users actually have no awareness of this.
Therefore the consensus is to treat this as a vulnerability, a CVE is
currently being assigned, distributions have been pre-notified and we are
going to release an advisory on April 29th at 15:00 CET.
We are also reaching MySQL and MariaDB following the original report from Duo
Security and we are in the process of contacting other MySQL forks.
---