openSUSE Security Update: Security update for mbedtls ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:0491-1 Rating: moderate References: #1080826 #1080828 #1080973 Cross-References: CVE-2017-18187 CVE-2018-0487 CVE-2018-0488 Affected Products: openSUSE Leap 42.3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for mbedtls fixes the following issues: - CVE-2018-0487: Fixed a buffer overflow in RSASSA-PSS signature verification, which allowed remote attackers to execute arbitrary code or cause a denial of service via a crafted certificate chain. (boo#1080826) - CVE-2018-0488: Fixed a heap vulnerability, which allowed remote attackers to execute arbitrary code or cause a DoS via a crafted application packet when the truncated HMAC extension and CBC are used. (boo#1080828) - CVE-2017-18187: Fixed bound check in ssl_parse_client_psk_identity(), which might lead to an overflow. (boo#1080973) Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2018-186=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.3 (i586 x86_64): libmbedtls9-1.3.19-21.1 libmbedtls9-debuginfo-1.3.19-21.1 mbedtls-debugsource-1.3.19-21.1 mbedtls-devel-1.3.19-21.1 - openSUSE Leap 42.3 (x86_64): libmbedtls9-32bit-1.3.19-21.1 libmbedtls9-debuginfo-32bit-1.3.19-21.1 References: https://www.suse.com/security/cve/CVE-2017-18187.html https://www.suse.com/security/cve/CVE-2018-0487.html https://www.suse.com/security/cve/CVE-2018-0488.html https://bugzilla.suse.com/1080826 https://bugzilla.suse.com/1080828 https://bugzilla.suse.com/1080973