Oval Definition:oval:com.ubuntu.xenial:def:20162047000
Revision Date:2016-01-27Version:1
Title:CVE-2016-2047 on Ubuntu 16.04 LTS (xenial) - medium.
Description:The ssl_verify_server_cert function in sql-common/client.c in MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10; Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier; and Percona Server do not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "/CN=" string in a field in a certificate, as demonstrated by "/OU=/CN=bar.com/CN=foo.com."
Family:unixClass:vulnerability
Status:Reference(s):CVE-2016-2047
Platform(s):Ubuntu 16.04 LTS
Product(s):
Definition Synopsis
  • Ubuntu 16.04 LTS (xenial) is installed.
  • AND Package Information
  • NOT While related to the CVE in some way, the 'mariadb-10.0' package in xenial is not affected (note: '10.0.23-1').
  • OR The 'mysql-5.7' package in xenial was vulnerable but has been fixed (note: '5.7.12-0ubuntu1').
  • OR The 'percona-server-5.6' package in xenial is affected and needs fixing.
  • OR The 'percona-xtradb-cluster-5.6' package in xenial was vulnerable but has been fixed (note: '5.6.34-26.19-0ubuntu0.16.04.1').
    • BACK