Bugzilla – Bug 919298
VUL-0: CVE-2015-1027: xtrabackup, percona-toolkit: MITM vulnerability via version check
Last modified: 2015-05-06 15:05:56 UTC
http://www.percona.com/blog/2015/02/17/percona-xtrabackup-2-2-9-now-available/ > Percona XtraBackup was vulnerable to MITM attack which could allow exfiltration of MySQL configuration information via --version-check option. This vulnerability was logged as CVE-2015-1027. https://bugs.launchpad.net/percona-xtrabackup/+bug/1408375 The effect is mitigated a bit because with some foresight, the openSUSE package was patched to not perform the automatic version check, see bug 864194 (CVE-2014-2029). https://build.opensuse.org/package/view_file/server:database/xtrabackup/percona-xtrabackup-2.2.x-disable-default-version-check.patch?expand=1 However as a version check may still be requested through configuration or command line switch, an update is neccessary. Current versions: openSUSE 13.1: 2.1.8 openSUSE 13.2: 2.2.4 server:database: 2.2.8 Not released in SLE.
This was also fixed in percona-toolkit 2.2.13, which should also go to the update repository: > * Fixed lp#1408375: vulnerable to MITM attack which would allow > exfiltration of MySQL configuration > information via --version-check
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (919298) was mentioned in https://build.opensuse.org/request/show/287669 Factory / xtrabackup
This is an autogenerated message for OBS integration: This bug (919298) was mentioned in https://build.opensuse.org/request/show/288038 13.2+13.1 / xtrabackup+percona-toolkit
released
openSUSE-SU-2015:0472-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 919298 CVE References: CVE-2015-1027 Sources used: openSUSE 13.2 (src): percona-toolkit-2.2.13-4.1, xtrabackup-2.2.9-4.1 openSUSE 13.1 (src): percona-toolkit-2.2.13-2.14.1, xtrabackup-2.1.8-25.1
Better late than never, upstream advisory: https://www.percona.com/blog/2015/05/06/percona-security-advisory-cve-2015-1027/