Hi, On Sun, Jul 02, 2017 at 09:26:07AM +0200, Salvatore Bonaccorso wrote: > Source: libdbd-mysql-perl > Version: 4.028-2 > Severity: important > Tags: security upstream > > Hi, > > the following vulnerability was published for libdbd-mysql-perl. > > CVE-2017-10789[0]: > | The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 > | setting to mean that SSL is optional (even though this setting's > | documentation has a "your communication with the server will be > | encrypted" statement), which allows man-in-the-middle attackers to > | spoof servers via a cleartext-downgrade attack, a related issue to > | CVE-2015-3152. > > Related upstream report handling this as a subtask at [1] and > respective pull request with fixes for the issues discussed in [1] at > [2]. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2017-10789 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10789 > [1] https://github.com/perl5-dbi/DBD-mysql/issues/110 > [2] https://github.com/perl5-dbi/DBD-mysql/pull/114
While a patch for this was upstream in 4.042 (around b6be72f321e920419bdc5c86998d9b9cb26c6791) upstream reverted _all_ changes of back to 4.041.