Date: Mon, 13 Jul 2015 20:46:04 +0000 (UTC) From: Mark Felder <feld@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r391952 - head/security/vuxml Message-ID: <201507132046.t6DKk4ak062946@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: feld Date: Mon Jul 13 20:46:04 2015 New Revision: 391952 URL: https://svnweb.freebsd.org/changeset/ports/391952 Log: Document CVE-2015-3152 "BACKRONYM" vulnerability PHP resolved in recent releases MySQL has fixed in 5.7 branch and did not backport to older branches MariaDB resolved in 5.5.44 and 10.0.20 Percona has not included a fix in any release (5.1, 5.5, or 5.6) Security: CVE-2015-3152 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Mon Jul 13 20:27:49 2015 (r391951) +++ head/security/vuxml/vuln.xml Mon Jul 13 20:46:04 2015 (r391952) @@ -58,6 +58,67 @@ Notes: --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="36bd352d-299b-11e5-86ff-14dae9d210b8"> + <topic>mysql -- SSL Downgrade</topic> + <affects> + <package> + <name>php56-mysql</name> + <name>php56-mysqli</name> + <range><lt>5.6.11</lt></range> + </package> + <package> + <name>php55-mysql</name> + <name>php55-mysqli</name> + <range><lt>5.5.27</lt></range> + </package> + <package> + <name>php54-mysql</name> + <name>php54-mysqli</name> + <range><lt>5.4.43</lt></range> + </package> + <package> + <name>mariadb-server</name> + <name>mysql51-server</name> + <name>mysql55-server</name> + <name>mysql56-server</name> + <name>percona55-server</name> + <name>percona56-server</name> + <range><ge>0</ge></range> + </package> + <package> + <name>mariadb55</name> + <range><lt>5.5.44</lt></range> + </package> + <package> + <name>mariadb10</name> + <range><lt>10.0.20</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Duo Security reports:</p> + <blockquote cite="INSERT URL HERE"> + <p>Researchers have identified a serious vulnerability in some + versions of Oracle’s MySQL database product that allows an attacker to + strip SSL/TLS connections of their security wrapping transparently.</p> + </blockquote> + </body> + </description> + <references> + <url>https://bugs.php.net/bug.php?id=69669</url>; + <url>https://www.duosecurity.com/blog/backronym-mysql-vulnerability</url>; + <url>http://www.ocert.org/advisories/ocert-2015-003.html</url>; + <url>https://mariadb.atlassian.net/browse/MDEV-7937</url>; + <url>https://mariadb.com/kb/en/mariadb/mariadb-10020-changelog/</url>; + <url>https://mariadb.com/kb/en/mariadb/mariadb-5544-changelog/</url>; + <cvename>CVE-2015-3152</cvename> + </references> + <dates> + <discovery>2015-03-20</discovery> + <entry>2015-07-13</entry> + </dates> + </vuln> + <vuln vid="81326883-2905-11e5-a4a5-002590263bf5"> <topic>devel/ipython -- CSRF possible remote execution vulnerability</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201507132046.t6DKk4ak062946>