629448 – (CVE-2017-14032) <net-libs/mbedtls-2.6.0: Bypass of authentication of peer possible when the authentication mode is configured as 'optional' (CVE-2017-14032)

Bug 629448 (CVE-2017-14032) - <net-libs/mbedtls-2.6.0: Bypass of authentication of peer possible when the authentication mode is configured as 'optional' (CVE-2017-14032)

Summary: <net-libs/mbedtls-2.6.0: Bypass of authentication of peer possible when the a...

Status:	RESOLVED FIXED

Alias:	CVE-2017-14032

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B4 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-08-31 13:54 UTC by Aleksandr Wagner (Kivak)
Modified:	2017-09-24 13:50 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	=net-libs/mbedtls-2.6.0
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Aleksandr Wagner (Kivak) 2017-08-31 13:54:33 UTC

From $URL:

ARM mbed TLS before 1.3.21, 2.1.x before 2.1.9 and 2.x before 2.6.0, if optional
authentication is configured, allows remote attackers to bypass peer
authentication via an X.509 certificate chain with many intermediates.
NOTE: although mbed TLS was formerly known as PolarSSL, the releases
shipped with the PolarSSL name are not affected.

Reference:

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02

Comment 1 Anthony Basile gentoo-dev

2017-08-31 13:58:05 UTC

2.6.0 is in the tree and ready for stabilization

KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev

2017-09-01 22:21:30 UTC

ia64 stable

Comment 3 Tobias Klausmann (RETIRED) gentoo-dev

2017-09-04 07:35:34 UTC

Stable on alpha.

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2017-09-04 22:28:14 UTC

amd64/x86 stable

Comment 5 Markus Meier gentoo-dev

2017-09-07 19:41:17 UTC

arm stable

Comment 6 Aaron Bauman (RETIRED) gentoo-dev

2017-09-10 22:23:52 UTC

sparc was dropped to exp.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2017-09-19 07:51:40 UTC

stanle for hppa/sparc (thanks to Rolf Eike Beer)

Comment 8 Anthony Basile gentoo-dev

2017-09-19 10:16:27 UTC

ppc and ppc64 stable

Comment 9 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-09-19 13:36:22 UTC

@Security please vote

@Maintainer please proceed to clean the tree.

Gentoo Security Padawan
ChrisADR

Comment 10 Anthony Basile gentoo-dev

2017-09-19 16:28:27 UTC

(In reply to Christopher Díaz from comment #9)
> @Maintainer please proceed to clean the tree.

done.

Comment 11 Aaron Bauman (RETIRED) gentoo-dev

2017-09-24 13:50:15 UTC

GLSA Vote: No