Source: libdbd-mysql-perl Version: 4.028-2 Severity: important Tags: security upstream
Hi, the following vulnerability was published for libdbd-mysql-perl. CVE-2017-10789[0]: | The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 | setting to mean that SSL is optional (even though this setting's | documentation has a "your communication with the server will be | encrypted" statement), which allows man-in-the-middle attackers to | spoof servers via a cleartext-downgrade attack, a related issue to | CVE-2015-3152. Related upstream report handling this as a subtask at [1] and respective pull request with fixes for the issues discussed in [1] at [2]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-10789 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10789 [1] https://github.com/perl5-dbi/DBD-mysql/issues/110 [2] https://github.com/perl5-dbi/DBD-mysql/pull/114 Regards, Salvatore _______________________________________________ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
