CVE-2016-2047

NameCVE-2016-2047
DescriptionThe ssl_verify_server_cert function in sql-common/client.c in MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10; Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier; and Percona Server do not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "/CN=" string in a field in a certificate, as demonstrated by "/OU=/CN=bar.com/CN=foo.com."
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-447-1, DSA-3453-1, DSA-3557-1
NVD severitymedium (attack range: remote)
Debian Bugs821094, 821100

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mariadb-10.0 (PTS)jessie10.0.30-0+deb8u2fixed
jessie (security)10.0.32-0+deb8u1fixed
mysql-5.5 (PTS)wheezy5.5.47-0+deb7u1vulnerable
wheezy (security)5.5.58-0+deb7u1fixed
jessie5.5.55-0+deb8u1fixed
jessie (security)5.5.58-0+deb8u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mariadb-10.0source(unstable)10.0.23-1medium
mariadb-10.0sourcejessie10.0.23-0+deb8u1mediumDSA-3453-1
mysql-5.5source(unstable)(unfixed)medium821100
mysql-5.5sourcejessie5.5.49-0+deb8u1mediumDSA-3557-1
mysql-5.5sourcewheezy5.5.49-0+deb7u1mediumDLA-447-1
mysql-5.6source(unstable)5.6.30-1medium821094

Notes

https://mariadb.atlassian.net/browse/MDEV-9212
https://github.com/MariaDB/server/commit/f0d774d48416bb06063184380b684380ca005a41
[squeeze] - mysql-5.5 <no-dsa> (will be fixed along with an upcoming Oracle CPU)
http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html
Search for package or bug name: Reporting problems