Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: Mysql/Mariadb insecure salt-usage
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 06 Dec 2012 01:49:46 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/05/2012 05:43 AM, Sergei Golubchik wrote:
Hi, Huzaifa!

On Dec 05, Huzaifa Sidhpurwala wrote:
Noticed another post by kingcope on full-disclosure, which
basically boils down to re-use of a salt-value when transmitting
passwords over a network.

If you could MITM/capture network packets, you could use this 
weakness to determine the passwords.

References: http://seclists.org/fulldisclosure/2012/Dec/58 
https://bugzilla.redhat.com/show_bug.cgi?id=883719

Should this a CVE be assigned to this issue?

https://mariadb.atlassian.net/browse/MDEV-3915

Regards, Sergei

Please use CVE-2012-5627 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQwFwqAAoJEBYNRVNeJnmTVl0QAJJZ5G5h2GxyLieUCGsa15HP
KQ3uZU1KGZ2uGrueRRzZqbk+i5qP8P7eVwwZEq57lNJRZKYf++UXDRu0WGOn8A0A
6qgUjDphoqJBmK1hYDjpyO+/YY79p5mGAye3bUKZGs5bOUrYTGTE9MZealwo0+Ur
En5veDhj0fcOgZGiiRcyz4EE4Zf43Cnq5FKs8ZRNvMqJwqoDTlAUnPCZ7v5v+Sb0
eNWNOpYC2BUld2Yorm/3wo46zt2nsVAL41r9IY7OmBWKS68yAeXCzXmNYYtiktoQ
LQLIidqFWcPIOF90sD0IeSy01XRNUK+23Qed2JtV3YBbI8Wu0RS8IlsEJMV1j8Ik
lzXQFleMIQ4JXdVeJXeTbTfnbc5ri8qZCkKduwzFq28jyXEPvXxnBMEmcQUUaMcL
KimFSf6ur3eGK8WL3s1fXDh+asaHonsKLoYHEKmP0f+Td7/4fLjN+FjrjMhYxmec
PDn+B1rMefsy3C/IWupy3HIINDXN23o/A0rsoQurycAsm1Z4FIrGP5VNZqmBhYO6
SP60nAWUqVk9hh6Z9rtZKkVkwYsk76Ac8i18Qs9mdL5y0hYVhPqjHKIq6NL/dk9A
lkXVGd28w43SLcNHI2eG/XjZn7tQliu3p2O7Koj4rEYObzVp0JcnhZg17NzNz4PN
jGICtk8EGou6cwwtzlXw
=O9Xz
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]