From ${URL} : PolarSSL 1.3.9 released [1]. From release notes: ... On the security front this release fixes a mistake in the negotiation introduced in PolarSSL 1.3.8. The mistake resulted in servers negotiating a weaker signature algorithm than available. In addition two remotely-triggerable memory leaks were found by the Codenomicon Defensics tool and fixed in this release. ... [1]: https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released Comment 1 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
It has been bumped a week ago already. Just stabilize it.
CVE-2014-8627 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8627): PolarSSL 1.3.8 does not properly negotiate the signature algorithm to use, which allows remote attackers to conduct downgrade attacks via unspecified vectors.
Arches, please test and mark stable: =net-libs/polarssl-1.3.9 Target keywords : "alpha amd64 arm hppa ppc ppc64 sparc x86"
Stable on alpha.
Stable for HPPA PPC64.
arm stable
amd64 stable
x86 stable
sparc stable
ppc stable. Maintainer(s), please cleanup. Security, please vote.
Vote: NO.
GLSA Vote: No Maintainer(s), please drop the vulnerable version(s).
It has been 30 days since cleanup was requested. Maintainer(s), please drop the vulnerable version(s).
Please cleanup =net-libs/polarssl-1.3.8
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d64be016252e524c703fc79e90d9d1032d0813ff