From ${URL} : Description A vulnerability has been reported in PolarSSL, which can be exploited by malicious people to cause a DoS (Denial of Service) of the application using the library. The vulnerability is caused due to an error when processing certificate messages and can be exploited to trigger an infinite loop via a PEM encoded certificate within the certificate message. Successful exploitation requires that PolarSSL is compiled with the POLARSSL_PEM_C option (enabled by default). The vulnerability is reported in versions prior to 1.1.7 and 1.2.8. Solution: Update to version 1.1.7 or 1.2.8. Provided and/or discovered by: The vendor credits Jack Lloyd. Original Advisory: PolarSSL Security Advisory 2013-03: https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-03 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Are we good to stable?
(In reply to Chris Reffett from comment #1) > Are we good to stable? looks good for stable, so adding arches. please stabilize: =net-libs/polarssl-1.2.8 target keywords: amd64 arm hppa ppc ppc64 s390 sparc x86 ~amd64-fbsd ~x86-fbsd
amd64 stable
x86 stable
Stable for HPPA.
ppc stable
ppc64 stable
arm stable
s390 stable
sparc stable
old version removed
GLSA vote: yes As we already have draft for polarssl
CVE-2013-4623 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4623): The x509parse_crt function in x509.h in PolarSSL 1.1.x before 1.1.7 and 1.2.x before 1.2.8 does not properly parse certificate messages during the SSL/TLS handshake, which allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a certificate message that contains a PEM encoded certificate.
Added to existing GLSA draft
This issue was resolved and addressed in GLSA 201310-10 at http://security.gentoo.org/glsa/glsa-201310-10.xml by GLSA coordinator Sergey Popov (pinkbyte).