Pali

**Name of the Vulnerable Software and Affected Versions** DBD::mysql versions through 4.043 **Description** The issue allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack. This occurs because the mysql ssl=1 setting is used to mean that SSL is optional, despite the documentation stating that communication with the server will be encrypted. **Recommendations** For DBD::mysql versions through 4.043, consider disabling the use of the mysql ssl=1 setting until a patch is available, and instead, enforce SSL encryption for all connections to prevent cleartext-downgrade attacks.

**Name of the Vulnerable Software and Affected Versions** DBD::mysql versions prior to 4.039 **Description** The issue allows attackers to cause a denial of service, specifically an out-of-bounds read, when using server-side prepared statement support. This can be achieved through vectors involving an unaligned number of placeholders in the WHERE condition and output fields in the SELECT expression. **Recommendations** For versions prior to 4.039, update to version 4.039 or later to resolve the issue. As a temporary workaround, consider avoiding the use of server-side prepared statement support until a patch is applied. Restrict the use of unaligned placeholders in WHERE conditions and output fields in SELECT expressions to minimize the risk of exploitation.