| Name | CVE-2015-3152 |
| Description | Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-3311-1 |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| mariadb-10.0 | source | jessie | 10.0.20-0+deb8u1 | DSA-3311-1 | ||
| mariadb-10.0 | source | (unstable) | 10.0.20-1 | |||
| percona-xtradb-cluster-5.5 | source | (unstable) | (unfixed) |
CVE was assigned explicitly only for MariaDB and Percona, but not Oracle MySQL
since Oracle is a CNA itself.
http://www.ocert.org/advisories/ocert-2015-003.html
http://mysqlblog.fivefarmers.com/2015/04/29/ssltls-in-5-6-and-5-5-ocert-advisory/
https://mariadb.atlassian.net/browse/MDEV-7937