Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 516904 (CVE-2014-4911)

Summary: <net-libs/polarssl-1.3.8: Denial of Service against GCM enabled servers (and clients) (CVE-2014-4911)
Product: Gentoo Security Reporter: Julian Ospald <hasufell>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: tommy
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-02
See Also: https://github.com/polarssl/polarssl/issues/113
Whiteboard: C3 [noglsa]
Package list:
Runtime testing required: ---

Description Julian Ospald 2014-07-11 18:29:32 UTC 
I will bump soon.
Comment 1 Julian Ospald 2014-07-11 23:52:32 UTC 
+*polarssl-1.3.8 (11 Jul 2014)
+
+  11 Jul 2014; Julian Ospald <hasufell@gentoo.org> +polarssl-1.3.8.ebuild,
+  +files/polarssl-1.3.8-ssl_pthread_server.patch:
+  version bump
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-07-12 00:04:33 UTC 
Maintainers, please advise when ebuilds have had enough testing, and are ready for stabilization.
Comment 3 Julian Ospald 2014-07-12 12:28:22 UTC 
(In reply to Yury German from comment #2)
> Maintainers, please advise when ebuilds have had enough testing, and are
> ready for stabilization.

now.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-07-15 23:42:48 UTC 
Arches, please test and mark stable:

=net-libs/polarssl-1.3.8

Target Keywords : "amd64 arm hppa ppc ppc64 spark x86"

Thank you!
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2014-07-19 00:47:36 UTC 
Stable for HPPA.
Comment 6 Markus Meier gentoo-dev 2014-07-24 19:22:36 UTC 
arm stable
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-07-25 01:33:28 UTC 
CVE-2014-4911 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4911):
  The ssl_decrypt_buf function in library/ssl_tls.c in PolarSSL before 1.2.11
  and 1.3.x before 1.3.8 allows remote attackers to cause a denial of service
  (crash) via vectors related to the GCM ciphersuites, as demonstrated using
  the Codenomicon Defensics toolkit.
Comment 8 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2014-07-27 11:13:55 UTC 
x86 stable
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-07-28 22:00:04 UTC 
amd64 stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2014-08-02 15:40:25 UTC 
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-08-08 21:36:00 UTC 
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-08-09 10:49:14 UTC 
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-08-09 11:27:24 UTC 
GLSA vote: no,
Comment 14 Julian Ospald 2014-08-09 12:52:46 UTC 
+  09 Aug 2014; Julian Ospald <hasufell@gentoo.org> -polarssl-1.3.4.ebuild,
+  -polarssl-1.3.5.ebuild, -polarssl-1.3.6.ebuild, -polarssl-1.3.7.ebuild,
+  -polarssl-1.3.7-r1.ebuild, -files/polarssl-1.3.4-cflags.patch,
+  -files/polarssl-1.3.4-out-of-source.patch,
+  -files/polarssl-1.3.4-static.patch, -files/polarssl-1.3.4-zlib.patch:
+  cleanup vulnerable versions wrt #516904
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2014-08-11 23:09:48 UTC 
GLSA Vote: No

No GLSA - Closing Bug as Resolved