MySQL with yaSSL vulnerability

It’s worth noting that if you’re using MySQL 5.0/5.1, with SSL enabled, and you’re using yaSSL as opposed to OpenSSL, you’re vulnerable to CVE-2009-4484. Its a buffer overflow, that works over TCP, via the MySQL port, 3306. Lenz furnished us with some information, and the patch is available. You’ll see this rocking when MySQL 5.1.43 gets released.

It affects Debian (presumably, it will also affect Ubuntu). Red Hat/CentOS is spared, because instead of using yaSSL, OpenSSL is used.

MariaDB 5.1.41-rc (based on MySQL 5.1.41) which was just released a few days ago, naturally is also affected. The next release candidate might potentially be rebased against 5.1.42 (the builds are already ready, from what I understand), and will include this patch.

Some yaSSL trivia: did you know that one of the two co-founders of the project, is actually Larry Stefonic? Larry was an early MySQL Ab employee, holding quite a few positions at MySQL Ab; he was the President of MySQL KK (the Japanese branch), and was also SVP for worldwide OEM sales!


i