Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20121205124346.GA6921@meddwl.vdavda.com>
Date: Wed, 5 Dec 2012 13:43:46 +0100
From: Sergei Golubchik <serg@...monty.org>
To: oss-security@...ts.openwall.com
Cc: Kurt Seifried <kseifried@...hat.com>,
	Jan Lieskovsky <jlieskov@...hat.com>,
	Huzaifa Sidhpurwala <huzaifas@...hat.com>
Subject: Re: CVE request: Mysql/Mariadb insecure salt-usage

Hi, Huzaifa!

On Dec 05, Huzaifa Sidhpurwala wrote:
> Noticed another post by kingcope on full-disclosure, which basically
> boils down to re-use of a salt-value when transmitting passwords
> over a network.
> 
> If you could MITM/capture network packets, you could use this
> weakness to determine the passwords.
> 
> References:
> http://seclists.org/fulldisclosure/2012/Dec/58
> https://bugzilla.redhat.com/show_bug.cgi?id=883719
> 
> Should this a CVE be assigned to this issue?

https://mariadb.atlassian.net/browse/MDEV-3915

Regards,
Sergei

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.