Summary: | <net-libs/polarssl-0.14.2: Man-in-the-Middle vulnerability (CVE-2011-1923) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Tim Sammut (RETIRED) <underling> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | tommy | ||||
Priority: | Normal | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://polarssl.org/trac/wiki/SecurityAdvisory201101 | ||||||
Whiteboard: | B4 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Tim Sammut (RETIRED)
2011-03-14 03:49:47 UTC
polarssl-0.14.2 just added to main tree Thank you. Arches, please stabilize =net-libs/polarssl-0.14.2 Created attachment 266255 [details]
Build log
problem with test, but it compile
amd64 ok
x86 stable. No issues with build or tests. (In reply to comment #3) > Created attachment 266255 [details] > Build log > > problem with test, but it compile Install and run the test suite again. Stable for HPPA. ppc/ppc64 stable amd64 done. Thanks Agostino Thanks, folks. GLSA Vote: yes. Vote: YES. New GLSA request filed. Please punt vulnerable versions. (In reply to comment #10) > Please punt vulnerable versions. done CVE-2011-1923 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1923): The Diffie-Hellman key-exchange implementation in dhm.c in PolarSSL before 0.14.2 does not properly validate a public parameter, which makes it easier for man-in-the-middle attackers to obtain the shared secret key by modifying network traffic, a related issue to CVE-2011-5095. This issue was resolved and addressed in GLSA 201310-10 at http://security.gentoo.org/glsa/glsa-201310-10.xml by GLSA coordinator Sergey Popov (pinkbyte). |