Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 620504 - net-libs/polarssl: Double free and MD5 signature issue (SLOTH)
Summary: net-libs/polarssl: Double free and MD5 signature issue (SLOTH)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://tls.mbed.org/tech-updates/rel...
Whiteboard: B3 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-03 12:38 UTC by Thomas Deutschmann
Modified: 2018-01-15 04:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2017-06-03 12:38:58 UTC
From $URL:

(2.2, 2.1, 1.3) Fixes a potential double free when mbedtls_asn1_store_named_data() fails to allocate memory. This was only used for certificate generation and was not triggerable remotely in SSL/TLS. The original issues was found by Rafał Przywara, in https://github.com/ARMmbed/mbedtls/issues/367
    
(2.2, 2.1, 1.3) Disables by default MD5 handshake signatures in TLS 1.2 to prevent the SLOTH attack on TLS 1.2 server authentication (other attacks from the SLOTH paper do not apply to any version of mbed TLS or PolarSSL).
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-01-05 16:25:27 UTC
Added to existing GLSA.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2018-01-15 04:28:35 UTC
This issue was resolved and addressed in
 GLSA 201801-15 at https://security.gentoo.org/glsa/201801-15
by GLSA coordinator Thomas Deutschmann (whissi).