5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. It was found that the MySQL client library permitted but did not require a client to use SSL/TLS when establishing a secure connection to a MySQL server using the “–ssl” option. A man-in-the-middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server. (CVE-2015-3152) This update fixes several vulnerabilities in the MariaDB database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. (CVE-2015-2582, CVE-2015-2611, CVE-2015-2617, CVE-2015-2620, CVE-2015-2639, CVE-2015-2641, CVE-2015-2643, CVE-2015-2648, CVE-2015-2661, CVE-2015-4737, CVE-2015-4752, CVE-2015-4756, CVE-2015-4757, CVE-2015-4761, CVE-2015-4767, CVE-2015-4769, CVE-2015-4771, CVE-2015-4772) These updated packages upgrade MariaDB to version MariaDB 10.0.20. Refer to the MariaDB Release Notes listed in the References section for a complete list of changes. All MariaDB users should upgrade to these updated packages, which correct these issues. After installing this update, the MariaDB server daemon (mysqld) will be restarted automatically.
lists.fedoraproject.org/pipermail/package-announce/2015-July/161436.html
lists.fedoraproject.org/pipermail/package-announce/2015-July/161625.html
mysqlblog.fivefarmers.com/2014/04/02/redefining-ssl-option/
mysqlblog.fivefarmers.com/2015/04/29/ssltls-in-5-6-and-5-5-ocert-advisory/
packetstormsecurity.com/files/131688/MySQL-SSL-TLS-Downgrade.html
rhn.redhat.com/errata/RHSA-2015-1646.html
rhn.redhat.com/errata/RHSA-2015-1647.html
rhn.redhat.com/errata/RHSA-2015-1665.html
www.debian.org/security/2015/dsa-3311
www.ocert.org/advisories/ocert-2015-003.html
www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixMSQL
www.securityfocus.com/archive/1/535397/100/1100/threaded
www.securityfocus.com/bid/74398
www.securitytracker.com/id/1032216
access.redhat.com/security/cve/cve-2015-3152
access.redhat.com/security/updates/classification/#important
github.com/mysql/mysql-server/commit/3bd5589e1a5a93f9c224badf983cd65c45215390
jira.mariadb.org/browse/MDEV-7937
mariadb.com/kb/en/mariadb/mariadb-10020-release-notes/
rhn.redhat.com/errata/RHSA-2015-1646.html
www.duosecurity.com/blog/backronym-mysql-vulnerability
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N