CVE-2015-3152

Published: 16 May 2016

Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack.

Priority

Low

CVSS 3 base score: 5.9

Status

Package Release Status
mariadb-10.0
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 21.10 (Impish Indri) Does not exist

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus)
Released (10.0.22-0ubuntu1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

mariadb-5.5
Launchpad, Ubuntu, Debian
Upstream
Released (5.5.44)
Ubuntu 21.10 (Impish Indri) Does not exist

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [5.5.44-1ubuntu0.14.04.1])
mysql-5.5
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 21.10 (Impish Indri) Does not exist

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Ignored

Patches:
Upstream: https://github.com/mysql/mysql-server/commit/3bd5589e1a5a93f9c224badf983cd65c45215390
mysql-5.6
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 21.10 (Impish Indri) Does not exist

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored)
Patches:
Upstream: https://github.com/mysql/mysql-server/commit/3bd5589e1a5a93f9c224badf983cd65c45215390
mysql-dfsg-5.1
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 21.10 (Impish Indri) Does not exist

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/mysql/mysql-server/commit/3bd5589e1a5a93f9c224badf983cd65c45215390
percona-server-5.6
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 21.10 (Impish Indri) Does not exist

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end of standard support, was needed)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

percona-xtradb-cluster-5.5
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 21.10 (Impish Indri) Does not exist

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)

Notes

AuthorNote
tyhicks
The MySQL documentation makes the behavior of the --ssl option clear.
It isn't known if they'll release updates for the 5.5/5.6 series.
mdeslaur
not included in 5.5.47 or 5.6.28.
Marking this issue as "ignored" since it doesn't look like
upstream is going to fix this in 5.5 and 5.6, and we aren't
going to diverge from upstream.

References