516904 – (CVE-2014-4911) <net-libs/polarssl-1.3.8: Denial of Service against GCM enabled servers (and clients) (CVE-2014-4911)

Bug 516904 (CVE-2014-4911) - <net-libs/polarssl-1.3.8: Denial of Service against GCM enabled servers (and clients) (CVE-2014-4911)

Summary: <net-libs/polarssl-1.3.8: Denial of Service against GCM enabled servers (and ...

Status:	RESOLVED FIXED

Alias:	CVE-2014-4911

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://polarssl.org/tech-updates/sec...
Whiteboard:	C3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2014-07-11 18:29 UTC by Julian Ospald
Modified:	2014-08-11 23:09 UTC (History)
CC List:	1 user (show)

See Also:	https://github.com/polarssl/polarssl/issues/113
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Julian Ospald 2014-07-11 18:29:32 UTC

I will bump soon.

Comment 1 Julian Ospald 2014-07-11 23:52:32 UTC

+*polarssl-1.3.8 (11 Jul 2014)
+
+  11 Jul 2014; Julian Ospald <hasufell@gentoo.org> +polarssl-1.3.8.ebuild,
+  +files/polarssl-1.3.8-ssl_pthread_server.patch:
+  version bump

Comment 2 Yury German Gentoo Infrastructure

2014-07-12 00:04:33 UTC

Maintainers, please advise when ebuilds have had enough testing, and are ready for stabilization.

Comment 3 Julian Ospald 2014-07-12 12:28:22 UTC

(In reply to Yury German from comment #2)
> Maintainers, please advise when ebuilds have had enough testing, and are
> ready for stabilization.

now.

Comment 4 Yury German Gentoo Infrastructure

2014-07-15 23:42:48 UTC

Arches, please test and mark stable:

=net-libs/polarssl-1.3.8

Target Keywords : "amd64 arm hppa ppc ppc64 spark x86"

Thank you!

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2014-07-19 00:47:36 UTC

Stable for HPPA.

Comment 6 Markus Meier gentoo-dev

2014-07-24 19:22:36 UTC

arm stable

Comment 7 GLSAMaker/CVETool Bot gentoo-dev

2014-07-25 01:33:28 UTC

CVE-2014-4911 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4911):
  The ssl_decrypt_buf function in library/ssl_tls.c in PolarSSL before 1.2.11
  and 1.3.x before 1.3.8 allows remote attackers to cause a denial of service
  (crash) via vectors related to the GCM ciphersuites, as demonstrated using
  the Codenomicon Defensics toolkit.

Comment 8 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2014-07-27 11:13:55 UTC

x86 stable

Comment 9 Mikle Kolyada (RETIRED) archtester

2014-07-28 22:00:04 UTC

amd64 stable

Comment 10 Raúl Porcel (RETIRED) gentoo-dev

2014-08-02 15:40:25 UTC

sparc stable

Comment 11 Agostino Sarubbo gentoo-dev

2014-08-08 21:36:00 UTC

ppc stable

Comment 12 Agostino Sarubbo gentoo-dev

2014-08-09 10:49:14 UTC

ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 13 Mikle Kolyada (RETIRED) archtester

2014-08-09 11:27:24 UTC

GLSA vote: no,

Comment 14 Julian Ospald 2014-08-09 12:52:46 UTC

+  09 Aug 2014; Julian Ospald <hasufell@gentoo.org> -polarssl-1.3.4.ebuild,
+  -polarssl-1.3.5.ebuild, -polarssl-1.3.6.ebuild, -polarssl-1.3.7.ebuild,
+  -polarssl-1.3.7-r1.ebuild, -files/polarssl-1.3.4-cflags.patch,
+  -files/polarssl-1.3.4-out-of-source.patch,
+  -files/polarssl-1.3.4-static.patch, -files/polarssl-1.3.4-zlib.patch:
+  cleanup vulnerable versions wrt #516904

Comment 15 Yury German Gentoo Infrastructure

2014-08-11 23:09:48 UTC

GLSA Vote: No

No GLSA - Closing Bug as Resolved