From $URL: By posing as a man in the middle and modifying packets as the secure communication is set-up it is possible for an attacker to force the calculation of a fully predictable Diffie Hellman secret. The cipher suites that may be affected (depending on other variables) are: * SSL_EDH_RSA_DES_168_SHA * SSL_EDH_RSA_AES_128_SHA * SSL_EDH_RSA_AES_256_SHA * SSL_EDH_RSA_CAMELLIA_128_SHA * SSL_EDH_RSA_CAMELLIA_256_SHA In case full authentication (client and server certificates) is used, no man in the middle attack seems possible.
polarssl-0.14.2 just added to main tree
Thank you. Arches, please stabilize =net-libs/polarssl-0.14.2
Created attachment 266255 [details] Build log problem with test, but it compile amd64 ok
x86 stable. No issues with build or tests.
(In reply to comment #3) > Created attachment 266255 [details] > Build log > > problem with test, but it compile Install and run the test suite again. Stable for HPPA.
ppc/ppc64 stable
amd64 done. Thanks Agostino
Thanks, folks. GLSA Vote: yes.
Vote: YES. New GLSA request filed.
Please punt vulnerable versions.
(In reply to comment #10) > Please punt vulnerable versions. done
CVE-2011-1923 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1923): The Diffie-Hellman key-exchange implementation in dhm.c in PolarSSL before 0.14.2 does not properly validate a public parameter, which makes it easier for man-in-the-middle attackers to obtain the shared secret key by modifying network traffic, a related issue to CVE-2011-5095.
This issue was resolved and addressed in GLSA 201310-10 at http://security.gentoo.org/glsa/glsa-201310-10.xml by GLSA coordinator Sergey Popov (pinkbyte).
