Summary: | <net-libs/mbedtls-2.1.2: crash or remote code execution on clients using session tickets or SNI (CVE-2015-5291) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Julian Ospald <hasufell> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | blueness, tommy |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01 | ||
Whiteboard: | B1 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 620500 |
Description
Julian Ospald
2015-10-08 21:45:43 UTC
mbedtls bumped to 2.1.2 and old versions cleaned up: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=769245b868ad148eb4f44f463c8190641c311781 https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a8e6d5bf813b88ed5cc43bbfb5d2aaa72cfe4cc5 Is PolarSSL done? I do not see anything higher then 1.3.9 Ping on the question above? Sorry, i have been and am still pretty busy, but for now checked the remaining packages depending on polarssl. I have opened bugs for them, bug 618354 tracks them. I split out net-libs/polarssl into bug 620502. This issue was resolved and addressed in GLSA 201706-18 at https://security.gentoo.org/glsa/201706-18 by GLSA coordinator Kristian Fiskerstrand (K_F). |