Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 629448 (CVE-2017-14032)

Summary: <net-libs/mbedtls-2.6.0: Bypass of authentication of peer possible when the authentication mode is configured as 'optional' (CVE-2017-14032)
Product: Gentoo Security Reporter: Aleksandr Wagner (Kivak) <alwag>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: blueness
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1487120
Whiteboard: B4 [noglsa cve]
Package list:
=net-libs/mbedtls-2.6.0
 Runtime testing required: ---

Description Aleksandr Wagner (Kivak) 2017-08-31 13:54:33 UTC 
From $URL:

ARM mbed TLS before 1.3.21, 2.1.x before 2.1.9 and 2.x before 2.6.0, if optional
authentication is configured, allows remote attackers to bypass peer
authentication via an X.509 certificate chain with many intermediates.
NOTE: although mbed TLS was formerly known as PolarSSL, the releases
shipped with the PolarSSL name are not affected.

Reference:

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02
Comment 1 Anthony Basile gentoo-dev 2017-08-31 13:58:05 UTC 
2.6.0 is in the tree and ready for stabilization

KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-01 22:21:30 UTC 
ia64 stable
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2017-09-04 07:35:34 UTC 
Stable on alpha.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2017-09-04 22:28:14 UTC 
amd64/x86 stable
Comment 5 Markus Meier gentoo-dev 2017-09-07 19:41:17 UTC 
arm stable
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2017-09-10 22:23:52 UTC 
sparc was dropped to exp.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-19 07:51:40 UTC 
stanle for hppa/sparc (thanks to Rolf Eike Beer)
Comment 8 Anthony Basile gentoo-dev 2017-09-19 10:16:27 UTC 
ppc and ppc64 stable
Comment 9 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-19 13:36:22 UTC 
@Security please vote

@Maintainer please proceed to clean the tree.

Gentoo Security Padawan
ChrisADR
Comment 10 Anthony Basile gentoo-dev 2017-09-19 16:28:27 UTC 
(In reply to Christopher Díaz from comment #9)
> @Maintainer please proceed to clean the tree.

done.
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2017-09-24 13:50:15 UTC 
GLSA Vote: No