CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS
Percentile
84.4%
Note: this package was called polarssl, but is now called mbed tls. The PolarSSL software is now called mbed TLS. Heap-based buffer overflow in mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long hostname to the server name indication (SNI) extension, which is not properly handled when creating a ClientHello message (CVE-2015-5291). Heap-based buffer overflow in mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long session ticket name to the session ticket extension, which is not properly handled when creating a ClientHello message to resume a session (CVE-2015-8036). The mbedtls package has been updated to version 1.3.16, which contains several other bug fixes, security fixes, and security enhancements. The hiawatha package, which uses the polarssl/mbedtls library, has been updated to version 9.13 for improved compatibility. The belle-sip library package has been updated to version 1.4.2 for improved compatibility and the linphone package has been rebuilt against mbedtls. The pdns package has also been rebuilt against mbedtls.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 5 | noarch | mbedtls | < 1.3.16-1 | mbedtls-1.3.16-1.mga5 |
Mageia | 5 | noarch | hiawatha | < 9.13-1 | hiawatha-9.13-1.mga5 |
Mageia | 5 | noarch | belle-sip | < 1.4.2-1 | belle-sip-1.4.2-1.mga5 |
Mageia | 5 | noarch | linphone | < 3.8.1-1.1 | linphone-3.8.1-1.1.mga5 |
Mageia | 5 | noarch | pdns | < 3.3.3-1.1 | pdns-3.3.3-1.1.mga5 |
bugs.mageia.org/show_bug.cgi?id=17187
lists.fedoraproject.org/pipermail/package-announce/2015-June/159916.html
lists.fedoraproject.org/pipermail/package-announce/2015-October/169765.html
lists.fedoraproject.org/pipermail/package-announce/2016-January/175762.html
tls.mbed.org/tech-updates/releases/mbedtls-1.3.10-released
tls.mbed.org/tech-updates/releases/mbedtls-1.3.11-released
tls.mbed.org/tech-updates/releases/mbedtls-2.1.1-and-1.3.13-and-polarssl-1.2.16-released
tls.mbed.org/tech-updates/releases/mbedtls-2.1.2-and-1.3.14-and-polarssl-1.2.17-released
tls.mbed.org/tech-updates/releases/mbedtls-2.2.0-2.1.3-1.3.15-and-polarssl.1.2.18-released
tls.mbed.org/tech-updates/releases/mbedtls-2.2.1-2.1.4-1.3.16-and-polarssl.1.2.19-released
tls.mbed.org/tech-updates/releases/polarssl-1.2.15-and-mbedtls-1.3.12-released
tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01