CVE-2015-3152

First published: Mon May 16 2016(Updated: )

Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack.

Credit: secalert@redhat.com

Affected Software	Affected Version	How to fix
Oracle MySQL	<=5.7.2
Oracle Mysql Connector\/c	<=6.1.2
Mariadb Mariadb	>=5.5.0<5.5.44
Mariadb Mariadb	>=10.0.0<10.0.20
Fedoraproject Fedora	=21
Fedoraproject Fedora	=22
Debian Debian Linux	=8.0
Redhat Enterprise Linux Desktop	=7.0
Redhat Enterprise Linux Eus	=7.1
Redhat Enterprise Linux Eus	=7.2
Redhat Enterprise Linux Eus	=7.3
Redhat Enterprise Linux Eus	=7.4
Redhat Enterprise Linux Eus	=7.5
Redhat Enterprise Linux Eus	=7.6
Redhat Enterprise Linux Eus	=7.7
Redhat Enterprise Linux Server	=7.0
Redhat Enterprise Linux Server Aus	=7.3
Redhat Enterprise Linux Server Aus	=7.4
Redhat Enterprise Linux Server Aus	=7.6
Redhat Enterprise Linux Server Aus	=7.7
Redhat Enterprise Linux Server Tus	=7.3
Redhat Enterprise Linux Server Tus	=7.6
Redhat Enterprise Linux Server Tus	=7.7
Redhat Enterprise Linux Workstation	=7.0
PHP PHP	>=5.4.0<5.4.43
PHP PHP	>=5.5.0<5.5.27
PHP PHP	>=5.6.0<5.6.11

Remedy

https://github.com/mysql/mysql-server/commit/3bd5589e1a5a93f9c224badf983cd65c45215390

Never miss a vulnerability like this again

Reference Links

collector/nvd-index
agent/references
agent/author
agent/severity
agent/weakness
agent/event
agent/type
agent/tags
agent/description
agent/remedy
agent/last-modified-date
agent/softwarecombine
agent/first-publish-date
collector/mitre-cve
source/MITRE
vendor/oracle
canonical/oracle mysql
version/oracle mysql/5.7.2
canonical/oracle mysql connector\/c
version/oracle mysql connector\/c/6.1.2
vendor/mariadb
canonical/mariadb mariadb
version/mariadb mariadb/5.5.0
version/mariadb mariadb/10.0.0
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/21
version/fedoraproject fedora/22
vendor/debian
canonical/debian debian linux
version/debian debian linux/8.0
vendor/redhat
canonical/redhat enterprise linux desktop
version/redhat enterprise linux desktop/7.0
canonical/redhat enterprise linux eus
version/redhat enterprise linux eus/7.1
version/redhat enterprise linux eus/7.2
version/redhat enterprise linux eus/7.3
version/redhat enterprise linux eus/7.4
version/redhat enterprise linux eus/7.5
version/redhat enterprise linux eus/7.6
version/redhat enterprise linux eus/7.7
canonical/redhat enterprise linux server
version/redhat enterprise linux server/7.0
canonical/redhat enterprise linux server aus
version/redhat enterprise linux server aus/7.3
version/redhat enterprise linux server aus/7.4
version/redhat enterprise linux server aus/7.6
version/redhat enterprise linux server aus/7.7
canonical/redhat enterprise linux server tus
version/redhat enterprise linux server tus/7.3
version/redhat enterprise linux server tus/7.6
version/redhat enterprise linux server tus/7.7
canonical/redhat enterprise linux workstation
version/redhat enterprise linux workstation/7.0
vendor/php
canonical/php php
version/php php/5.4.0
version/php php/5.5.0
version/php php/5.6.0

CVE-2015-3152

Remedy

Never miss a vulnerability like this again

Reference Links

Company

Resources

Contact