[v2.6] mysql: man-in-the-middle (CVE-2015-3152)
A vulnerability has been reported concerning the impossibility for MySQL users (with any major stable version) to enforce an effective SSL/TLS connection that would be immune from man-in-the-middle (MITM) attacks performing a malicious downgrade.
While the issue has been addressed in MySQL preview release 5.7.3 in December 2013, it is perceived that the majority of MySQL users are not aware of this limitation and that the issue should be treated as a vulnerability.
Affected version:
MySQL <= 5.7.2
References:
https://github.com/mysql/mysql-server/commit/3bd5589e1a5a93f9c224badf983cd65c45215390
http://mysqlblog.fivefarmers.com/2014/04/02/redefining-ssl-option
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-3.html
https://mariadb.atlassian.net/browse/MDEV-7937
https://bugs.launchpad.net/percona-server/+bug/1447527
http://seclists.org/oss-sec/2015/q2/308
(from redmine: issue id 4227, created on 2015-05-22, closed on 2017-09-05)
- Relations:
- parent #4226