|
Message-ID: <50C05C2A.3090607@redhat.com> Date: Thu, 06 Dec 2012 01:49:46 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Sergei Golubchik <serg@...monty.org>, Jan Lieskovsky <jlieskov@...hat.com>, Huzaifa Sidhpurwala <huzaifas@...hat.com> Subject: Re: CVE request: Mysql/Mariadb insecure salt-usage -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/05/2012 05:43 AM, Sergei Golubchik wrote: > Hi, Huzaifa! > > On Dec 05, Huzaifa Sidhpurwala wrote: >> Noticed another post by kingcope on full-disclosure, which >> basically boils down to re-use of a salt-value when transmitting >> passwords over a network. >> >> If you could MITM/capture network packets, you could use this >> weakness to determine the passwords. >> >> References: http://seclists.org/fulldisclosure/2012/Dec/58 >> https://bugzilla.redhat.com/show_bug.cgi?id=883719 >> >> Should this a CVE be assigned to this issue? > > https://mariadb.atlassian.net/browse/MDEV-3915 > > Regards, Sergei Please use CVE-2012-5627 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQwFwqAAoJEBYNRVNeJnmTVl0QAJJZ5G5h2GxyLieUCGsa15HP KQ3uZU1KGZ2uGrueRRzZqbk+i5qP8P7eVwwZEq57lNJRZKYf++UXDRu0WGOn8A0A 6qgUjDphoqJBmK1hYDjpyO+/YY79p5mGAye3bUKZGs5bOUrYTGTE9MZealwo0+Ur En5veDhj0fcOgZGiiRcyz4EE4Zf43Cnq5FKs8ZRNvMqJwqoDTlAUnPCZ7v5v+Sb0 eNWNOpYC2BUld2Yorm/3wo46zt2nsVAL41r9IY7OmBWKS68yAeXCzXmNYYtiktoQ LQLIidqFWcPIOF90sD0IeSy01XRNUK+23Qed2JtV3YBbI8Wu0RS8IlsEJMV1j8Ik lzXQFleMIQ4JXdVeJXeTbTfnbc5ri8qZCkKduwzFq28jyXEPvXxnBMEmcQUUaMcL KimFSf6ur3eGK8WL3s1fXDh+asaHonsKLoYHEKmP0f+Td7/4fLjN+FjrjMhYxmec PDn+B1rMefsy3C/IWupy3HIINDXN23o/A0rsoQurycAsm1Z4FIrGP5VNZqmBhYO6 SP60nAWUqVk9hh6Z9rtZKkVkwYsk76Ac8i18Qs9mdL5y0hYVhPqjHKIq6NL/dk9A lkXVGd28w43SLcNHI2eG/XjZn7tQliu3p2O7Koj4rEYObzVp0JcnhZg17NzNz4PN jGICtk8EGou6cwwtzlXw =O9Xz -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.