The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 setting to mean that SSL is optional (even though this settings documentation has a your communication with the server will be encrypted statement), which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Dbd-mysql | Dbd-mysql_project | * | 4.043 (including) |
| Libdbd-mysql-perl | Ubuntu | artful | * |
| Libdbd-mysql-perl | Ubuntu | esm-apps/xenial | * |
| Libdbd-mysql-perl | Ubuntu | esm-infra-legacy/trusty | * |
| Libdbd-mysql-perl | Ubuntu | precise/esm | * |
| Libdbd-mysql-perl | Ubuntu | trusty | * |
| Libdbd-mysql-perl | Ubuntu | trusty/esm | * |
| Libdbd-mysql-perl | Ubuntu | upstream | * |
| Libdbd-mysql-perl | Ubuntu | xenial | * |
| Libdbd-mysql-perl | Ubuntu | yakkety | * |
| Libdbd-mysql-perl | Ubuntu | zesty | * |
References
- http://www.securityfocus.com/bid/99364
- https://github.com/perl5-dbi/DBD-mysql/issues/110
- https://github.com/perl5-dbi/DBD-mysql/issues/140
- https://github.com/perl5-dbi/DBD-mysql/pull/114
- http://www.securityfocus.com/bid/99364
- https://github.com/perl5-dbi/DBD-mysql/issues/110
- https://github.com/perl5-dbi/DBD-mysql/issues/140
- https://github.com/perl5-dbi/DBD-mysql/pull/114