Lucene search
RootSSV:15006HistoryDec 02, 2009 - 12:00 a.m.
MySQL OpenSSL客户端绕过yaSSL服务器证书验证漏洞
2009-12-0200:00:00
Root
www.seebug.org
326
EPSS
0.005
Percentile
76.8%
BUGTRAQ ID: 37076
CVE ID: CVE-2009-4028
MySQL是一款使用非常广泛的开放源代码关系数据库系统,拥有各种平台的运行版本。
在使用OpenSSL的时候,MySQL的viosslfactories.c文件中的vio_verify_callback函数可以接受深度为0的X.509证书:
vio_verify_callback() at viosslfactories.c:
/*
Approve cert if depth is greater then "verify_depth", currently
verify_depth is always 0 and there is no way to increase it.
*/
if (verify_depth >= depth)
ok= 1;
提供了特制证书的基于SSL MySQL数据库可以执行中间人攻击。
MySQL AB MySQL 5.1.x
MySQL AB MySQL 5.0.x
厂商补丁:
MySQL AB
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
Related
ubuntucve
ubuntucve
CVE-2009-4028
2009-11-30 00:00:00
veracode
veracode
Spoofing Attack
2020-04-10 00:43:12
prion
prion
Design/Logic Flaw
2009-11-30 17:30:00
nvd
nvd
CVE-2009-4028
2009-11-30 17:30:00
cve
cve
CVE-2009-4028
2009-11-30 17:30:00
cvelist
cvelist
CVE-2009-4028
2009-11-30 17:00:00
openvas
openvas
Fedora Core 11 FEDORA-2009-13504 (mysql)
2009-12-30 00:00:00
Fedora Core 11 FEDORA-2009-13504 (mysql)
2009-12-30 00:00:00
Fedora Core 12 FEDORA-2009-13466 (mysql)
2009-12-30 00:00:00
fedora
fedora
[SECURITY] Fedora 11 Update: mysql-5.1.41-2.fc11
2009-12-22 04:54:08
[SECURITY] Fedora 12 Update: mysql-5.1.41-2.fc12
2009-12-22 04:48:21
nessus
nessus
Fedora 12 : mysql-5.1.41-2.fc12 (2009-13466)
2009-12-22 00:00:00
Fedora 11 : mysql-5.1.41-2.fc11 (2009-13504)
2009-12-22 00:00:00
SuSE 11 Security Update : MySQL (SAT Patch Number 2317)
2010-12-02 00:00:00
securityvulns
securityvulns
MySQL multiple security vulnerabilities
2010-01-19 00:00:00
[ MDVSA-2010:012 ] mysql
2010-01-19 00:00:00
centos
centos
mysql security update
2010-03-01 18:43:17
redhat
redhat
(RHSA-2010:0109) Moderate: mysql security update
2010-02-16 00:00:00
oraclelinux
oraclelinux
mysql security update
2010-02-16 00:00:00
gentoo
gentoo
MySQL: Multiple vulnerabilities
2012-01-05 00:00:00