vulnerable to MITM attack which would allow exfiltration of MySQL configuration information via --version-check
Bug #1408375 reported by
David Busby
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Percona Toolkit moved to https://jira.percona.com/projects/PT |
Fix Released
|
High
|
Frank Cizmich | ||
Percona XtraBackup moved to https://jira.percona.com/projects/PXB |
Fix Released
|
High
|
Alexey Kopytov | ||
2.2 |
Fix Released
|
High
|
Alexey Kopytov | ||
2.3 |
Fix Released
|
High
|
Alexey Kopytov |
Bug Description
An issue exists within percona-toolkit which allows for the disclosure of MySQL configuration information during a MITM attack against the version-check functionality.
P.O.C exists for this issue and has been circulated internally; this bug serves as the tracker for this issue at this time and will be updated with relevant information.
CVE-2015-1027
Related branches
lp:~percona-toolkit-dev/percona-toolkit/version-check-doesnt-verify-server-cert-1408375
- Daniel Nichter: Pending requested
-
Diff: 792 lines (+194/-60)20 files modifiedbin/pt-archiver (+10/-3)
bin/pt-config-diff (+10/-3)
bin/pt-deadlock-logger (+10/-3)
bin/pt-diskstats (+10/-3)
bin/pt-duplicate-key-checker (+10/-3)
bin/pt-find (+10/-3)
bin/pt-fk-error-logger (+10/-3)
bin/pt-heartbeat (+10/-3)
bin/pt-index-usage (+10/-3)
bin/pt-kill (+10/-3)
bin/pt-online-schema-change (+10/-3)
bin/pt-query-digest (+10/-3)
bin/pt-slave-delay (+10/-3)
bin/pt-slave-restart (+10/-3)
bin/pt-table-checksum (+10/-3)
bin/pt-table-sync (+10/-3)
bin/pt-upgrade (+10/-3)
bin/pt-variable-advisor (+10/-3)
lib/HTTP/Micro.pm (+2/-1)
lib/VersionCheck.pm (+12/-5)
lp:~akopytov/percona-xtrabackup/bug1408375-2.2
- Alexey Kopytov (community): Approve
lp:~akopytov/percona-xtrabackup/bug1408375-2.3
- Alexey Kopytov (community): Approve
-
Diff: 40 lines (+10/-4)1 file modifiedstorage/innobase/xtrabackup/innobackupex.pl (+10/-4)
CVE References
Changed in percona-toolkit: | |
status: | New → In Progress |
milestone: | none → 2.2.13 |
assignee: | nobody → Frank Cizmich (frank-cizmich) |
importance: | Undecided → High |
Changed in percona-toolkit: | |
status: | In Progress → Fix Committed |
Changed in percona-toolkit: | |
status: | Fix Committed → Fix Released |
information type: | Private Security → Public |
To post a comment you must log in.
CVE-2015-1027 has ben reserved as an identifier for this issue