Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 629448 (CVE-2017-14032) - <net-libs/mbedtls-2.6.0: Bypass of authentication of peer possible when the authentication mode is configured as 'optional' (CVE-2017-14032)
Summary: <net-libs/mbedtls-2.6.0: Bypass of authentication of peer possible when the a...
Status: RESOLVED FIXED
Alias: CVE-2017-14032
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-31 13:54 UTC by Aleksandr Wagner (Kivak)
Modified: 2017-09-24 13:50 UTC (History)
1 user (show)

See Also:
Package list:
=net-libs/mbedtls-2.6.0
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-08-31 13:54:33 UTC
From $URL:

ARM mbed TLS before 1.3.21, 2.1.x before 2.1.9 and 2.x before 2.6.0, if optional
authentication is configured, allows remote attackers to bypass peer
authentication via an X.509 certificate chain with many intermediates.
NOTE: although mbed TLS was formerly known as PolarSSL, the releases
shipped with the PolarSSL name are not affected.

Reference:

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02
Comment 1 Anthony Basile gentoo-dev 2017-08-31 13:58:05 UTC
2.6.0 is in the tree and ready for stabilization

KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 2 Sergei Trofimovich gentoo-dev 2017-09-01 22:21:30 UTC
ia64 stable
Comment 3 Tobias Klausmann gentoo-dev 2017-09-04 07:35:34 UTC
Stable on alpha.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-09-04 22:28:14 UTC
amd64/x86 stable
Comment 5 Markus Meier gentoo-dev 2017-09-07 19:41:17 UTC
arm stable
Comment 7 Sergei Trofimovich gentoo-dev 2017-09-19 07:51:40 UTC
stanle for hppa/sparc (thanks to Rolf Eike Beer)
Comment 8 Anthony Basile gentoo-dev 2017-09-19 10:16:27 UTC
ppc and ppc64 stable
Comment 9 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-19 13:36:22 UTC
@Security please vote

@Maintainer please proceed to clean the tree.

Gentoo Security Padawan
ChrisADR
Comment 10 Anthony Basile gentoo-dev 2017-09-19 16:28:27 UTC
(In reply to Christopher Díaz from comment #9)
> @Maintainer please proceed to clean the tree.

done.
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-09-24 13:50:15 UTC
GLSA Vote: No