|Summary:||<net-libs/mbedtls-2.2.1: Double free and MD5 signature issue (SLOTH)|
|Product:||Gentoo Security||Reporter:||Hanno Böck <hanno>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||normal||CC:||blueness, hasufell, slawomir.nizio, tommy|
|Whiteboard:||B3 [glsa cve]|
|Package list:||Runtime testing required:||---|
Description Hanno Böck 2016-01-06 18:54:40 UTC
mbedtls has released updated versions that fix a double free vuln and an MD5 signature issue related to the SLOTH attack: https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.1-2.1.4-1.3.16-and-polarssl.1.2.19-released Here's the info about the SLOTH attack: http://www.mitls.org/pages/attacks/SLOTH polarssl (the older name of mbedtls) is also affected, Gentoo currently still has an ebuild for polarssl 1.3.9. While upstream released an update for an old polarssl branch (1.2.19), there seems to be no update for polarssl 1.3.9. So polarssl probably should be removed completely.
Comment 1 Anthony Basile 2017-01-28 17:56:10 UTC
all <net-libs/mbedtls-2.2.1 ebuilds are off the tree. however all the polarssl ebuilds are vulnerable. we should mask polarssl for removal. @tommy do you want to take care of polarssl since its your package.
Comment 2 Thomas Sachau 2017-05-13 13:55:26 UTC
The remaining packages depending on polarssl have open bugs assigned, bug 618354 tracks them.
Comment 3 Thomas Deutschmann 2017-06-03 12:41:42 UTC
I split out net-libs/polarssl into bug 620504. SLOTH issue is CVE-2015-7575. Added to an existing GLSA.