[Bug 988956] New: mbedtls: Update to version 1.3.17
http://bugzilla.opensuse.org/show_bug.cgi?id=988956 Bug ID: 988956 Summary: mbedtls: Update to version 1.3.17 Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.1 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: mpluskal@suse.com Reporter: mpluskal@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- New release of mbedtl offers following fixes and improvements: * Security + Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt required by PKCS1 v2.2 + Fix a potential integer underflow to buffer overread in mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in SSL/TLS. + Fix potential integer overflow to buffer overflow in mbedtls_rsa_rsaes_pkcs1_v15_encrypt and mbedtls_rsa_rsaes_oaep_encrypt * Bugfix + Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three arguments where the same (in-place doubling). Found and fixed by Janos Follath. #309 + Fix issue in Makefile that prevented building using armar. + Fix issue that caused a hang up when generating RSA keys of odd bitlength + Fix bug in mbedtls_rsa_rsaes_pkcs1_v15_encrypt that made null pointer dereference possible. + Fix issue that caused a crash if invalid curves were passed to mbedtls_ssl_conf_curves. #373 * Changes + On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5, don't use the optimized assembly for bignum multiplication. This removes the need to pass -fomit-frame-pointer to avoid a build error with -O0. + Disabled SSLv3 in the default configuration. + Fix non-compliance server extension handling. Extensions for SSLv3 are now ignored, as required by RFC6101. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=988956
Martin Pluskal
http://bugzilla.opensuse.org/show_bug.cgi?id=988956
http://bugzilla.opensuse.org/show_bug.cgi?id=988956#c2
Andreas Stieger
http://bugzilla.opensuse.org/show_bug.cgi?id=988956
http://bugzilla.opensuse.org/show_bug.cgi?id=988956#c4
Martin Pluskal
https://github.com/ARMmbed/mbedtls/commit/ fd349bcb8e775fe547125ad12d4f83e891360664
This also affects openSUSE:13.2:Update/polarssl, please back-port the above.
Hmpf most of code is quiet different from polarssl - and so far I am not avare of any CVE for polarssl - so closing for now. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com