CVE 2015-3152
Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack.
Related bugs and status
CVE-2015-3152 (Candidate) is related to these bugs:
Bug #1427406: data corruption on arm64 and ppc64el
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1427406 | data corruption on arm64 and ppc64el | mysql-5.6 (Ubuntu) | Critical | Fix Released | ||
1427406 | data corruption on arm64 and ppc64el | mysql-5.6 (Ubuntu Trusty) | Critical | Fix Released | ||
1427406 | data corruption on arm64 and ppc64el | mysql-5.6 (Ubuntu Vivid) | Critical | Won't Fix | ||
1427406 | data corruption on arm64 and ppc64el | mysql-5.6 (Ubuntu Utopic) | Critical | Won't Fix | ||
1427406 | data corruption on arm64 and ppc64el | MySQL Server | Unknown | Unknown | ||
1427406 | data corruption on arm64 and ppc64el | mariadb-5.5 (Ubuntu) | Undecided | Invalid | ||
1427406 | data corruption on arm64 and ppc64el | mariadb-5.5 (Ubuntu Trusty) | Critical | Fix Released | ||
1427406 | data corruption on arm64 and ppc64el | mariadb-5.5 (Ubuntu Utopic) | Undecided | Fix Released | ||
1427406 | data corruption on arm64 and ppc64el | mariadb-10.0 (Ubuntu) | Undecided | Fix Released | ||
1427406 | data corruption on arm64 and ppc64el | mariadb-10.0 (Ubuntu Trusty) | Undecided | Invalid | ||
1427406 | data corruption on arm64 and ppc64el | mariadb-10.0 (Ubuntu Utopic) | Undecided | Invalid | ||
1427406 | data corruption on arm64 and ppc64el | mariadb-10.0 (Ubuntu Vivid) | Undecided | Fix Released | ||
1427406 | data corruption on arm64 and ppc64el | mariadb-10.0 (Ubuntu Wily) | Undecided | Fix Released | ||
1427406 | data corruption on arm64 and ppc64el | mysql-5.6 (Ubuntu Wily) | Critical | Fix Released | ||
1427406 | data corruption on arm64 and ppc64el | mariadb-10.0 (Debian) | Unknown | Fix Released | ||
1427406 | data corruption on arm64 and ppc64el | mysql-5.5 (Ubuntu) | Undecided | Invalid | ||
1427406 | data corruption on arm64 and ppc64el | mysql-5.5 (Ubuntu Trusty) | Critical | Fix Released | ||
1427406 | data corruption on arm64 and ppc64el | mysql-5.5 (Ubuntu Utopic) | Critical | Fix Released |
Bug #1447527: --ssl option should enforce SSL
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1447527 | --ssl option should enforce SSL | Percona Server moved to https://jira.percona.com/projects/PS | High | Triaged | ||
1447527 | --ssl option should enforce SSL | Percona Server moved to https://jira.percona.com/projects/PS 5.5 | High | Triaged | ||
1447527 | --ssl option should enforce SSL | Percona Server moved to https://jira.percona.com/projects/PS 5.6 | High | Triaged | ||
1447527 | --ssl option should enforce SSL | MySQL Server | Unknown | Unknown | ||
1447527 | --ssl option should enforce SSL | Percona Server moved to https://jira.percona.com/projects/PS 5.7 | High | Fix Released |
Bug #1451677: USN-2575-1: MySQL vulnerabilities partially also applies to MariaDB
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1451677 | USN-2575-1: MySQL vulnerabilities partially also applies to MariaDB | mariadb-5.5 (Ubuntu) | Undecided | Fix Released | ||
1451677 | USN-2575-1: MySQL vulnerabilities partially also applies to MariaDB | mariadb-10.0 (Ubuntu) | Medium | Fix Released |
Bug #1464895: CVE-2015-3152: MySQL SSL/TLS downgrade vulnerability
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1464895 | CVE-2015-3152: MySQL SSL/TLS downgrade vulnerability | mariadb-5.5 (Ubuntu) | Undecided | Fix Released | ||
1464895 | CVE-2015-3152: MySQL SSL/TLS downgrade vulnerability | mariadb-10.0 (Ubuntu) | Undecided | Fix Released |
See the
CVE page on Mitre.org
for more details.