From owner-svn-ports-head@freebsd.org Fri Jul 17 10:28:21 2015 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 403CE9A2764 for ; Fri, 17 Jul 2015 10:28:21 +0000 (UTC) (envelope-from feld@feld.me) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 080C51E97 for ; Fri, 17 Jul 2015 10:28:20 +0000 (UTC) (envelope-from feld@feld.me) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 0718A20C1C for ; Fri, 17 Jul 2015 06:28:19 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute3.internal (MEProxy); Fri, 17 Jul 2015 06:28:19 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=feld.me; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=Oo92YKbVAUrOjPYHEUiGbpN1u4E=; b=wSkSBZ M729oJ5dAOCPTEpG63gWFSAPE/jLHF3EaQWgEgSBAjbIywXmyKgb4mS+3aHWdHB4 FkHZ2RBziND65V1zVci1KqFrCrkIs6ycfk1QBJPer4ZATgwr74gZ/+TPinUNE4u+ tJW1IeqY6WXll4343WvlvIisA2YjYOw4fVxec= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=Oo92YKbVAUrOjPY HEUiGbpN1u4E=; b=nYQpmItP/vvONkKDRJ0/ViaZbE6qIbBnqeVyy3/RpMYo8f7 r+Mfqs+4A2WdvxVF9PkhVRM6zt54/PvW8Becuhm2KH+RIIb9olaJNYHLx+JQnLRE vFgamgV9tbC6SmoB8pQoQLtOd6hVF0VNTYLwYxD7AwhG8GolfYPKV/+cvNtE= X-Sasl-enc: 4aJIAGEtqZxYQF9F8xvhoJvCkbzgF/CS/VCvCwG5qR2h 1437128898 Received: from [172.16.1.118] (68-117-126-78.static.mdsn.wi.charter.com [68.117.126.78]) by mail.messagingengine.com (Postfix) with ESMTPA id 62FCFC00024; Fri, 17 Jul 2015 06:28:18 -0400 (EDT) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\)) Subject: Re: svn commit: r392140 - head/databases/mysql56-server From: Mark Felder In-Reply-To: <55A8D138.2050901@FreeBSD.org> Date: Fri, 17 Jul 2015 05:28:17 -0500 Cc: Erwin Lansing , svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers , ports-secteam@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <201507151349.t6FDn5Sf079974@svnmir.geo.freebsd.org> <20150717081711.GS63119@droso.dk> <55A8D138.2050901@FreeBSD.org> To: Alex Dupre X-Mailer: Apple Mail (2.2102) X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2015 10:28:21 -0000 > On Jul 17, 2015, at 04:56, Alex Dupre wrote: >=20 > Erwin Lansing wrote: >>> URL: https://svnweb.freebsd.org/changeset/ports/392140 >>>=20 >>> Log: >>> Update to 5.6.25 release. >>=20 >> Does this by any change fix this vulnerability? >=20 > No, probably they are not going to fix this "vulnerability" because, > even if it wasn't a great security choice and in fact it changed in > mysql 5.7, it was the intended and documented behavior: >=20 >=20 >> For MySQL client programs, this option permits but does not require = the client to connect to the server using SSL. Therefore, this option is = not sufficient in itself to cause an SSL connection to be used. For = example, if you specify this option for a client program but the server = has not been configured to enable SSL connections, the client falls back = to an unencrypted connection.=20 >=20 And yet they advertise this option as a solution for preventing MITM = attacks: > MYSQL_OPT_SSL_VERIFY_SERVER_CERT (argument type: my_bool *)=20 > > Enable or disable verification of the server=92s Common Name value in = its=20 > certificate against the host name used when connecting to the server.=20= > The connection is rejected if there is a mismatch. This feature can be=20= > used to prevent man-in-the-middle attacks. Verification is disabled by = default. Which of course is useless if it happily falls back to non-SSL...