Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: Mysql/Mariadb insecure salt-usage
From: Sergei Golubchik <serg () askmonty org>
Date: Wed, 5 Dec 2012 13:43:46 +0100

Hi, Huzaifa!

On Dec 05, Huzaifa Sidhpurwala wrote:
Noticed another post by kingcope on full-disclosure, which basically
boils down to re-use of a salt-value when transmitting passwords
over a network.

If you could MITM/capture network packets, you could use this
weakness to determine the passwords.

References:
http://seclists.org/fulldisclosure/2012/Dec/58
https://bugzilla.redhat.com/show_bug.cgi?id=883719

Should this a CVE be assigned to this issue?

https://mariadb.atlassian.net/browse/MDEV-3915

Regards,
Sergei


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]