The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before
5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of
zero for the depth of X.509 certificates, which allows man-in-the-middle
attackers to spoof arbitrary SSL-based MySQL servers via a crafted
certificate, as demonstrated by a certificate presented by a server linked
against the yaSSL library.
Author | Note |
---|---|
mdeslaur | dapper doesn’t build with ssl hardy+ builds with yaSSL none of our releases are vulnerable, as the yaSSL code ignores the verify callback (see mysql bug) |