Bug 562608

Summary:	<net-libs/mbedtls-2.1.2: crash or remote code execution on clients using session tickets or SNI (CVE-2015-5291)
Product:	Gentoo Security	Reporter:	Julian Ospald <hasufell>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	blueness, tommy
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01
Whiteboard:	B1 [glsa cve]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	620500

Description Julian Ospald 2015-10-08 21:45:43 UTC

Denial of service and possible remote code execution, see $URL for full description. Severity rated high by upstream.

Comment 1 Julian Ospald 2015-10-08 21:49:44 UTC

mbedtls bumped to 2.1.2 and old versions cleaned up:
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=769245b868ad148eb4f44f463c8190641c311781
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a8e6d5bf813b88ed5cc43bbfb5d2aaa72cfe4cc5

Comment 2 Yury German Gentoo Infrastructure

2017-04-17 22:20:45 UTC

Is PolarSSL done? I do not see anything higher then 1.3.9

Comment 3 Yury German Gentoo Infrastructure

2017-04-29 16:07:18 UTC

Ping on the question above?

Comment 4 Thomas Sachau gentoo-dev

2017-05-13 13:53:58 UTC

Sorry, i have been and am still pretty busy, but for now checked the remaining packages depending on polarssl. I have opened bugs for them, bug 618354 tracks them.

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-03 12:31:02 UTC

I split out net-libs/polarssl into bug 620502.

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2017-06-20 17:45:52 UTC

This issue was resolved and addressed in
 GLSA 201706-18 at https://security.gentoo.org/glsa/201706-18
by GLSA coordinator Kristian Fiskerstrand (K_F).