Updated mbedtls/hiawatha/belle-sip/linphone/pdns packages fix security vulnerabilityPublication date: 09 Feb 2016
Affected Mageia releases : 5
CVE: CVE-2015-5291 , CVE-2015-8036
Note: this package was called polarssl, but is now called mbed tls. The PolarSSL software is now called mbed TLS. Heap-based buffer overflow in mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long hostname to the server name indication (SNI) extension, which is not properly handled when creating a ClientHello message (CVE-2015-5291). Heap-based buffer overflow in mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long session ticket name to the session ticket extension, which is not properly handled when creating a ClientHello message to resume a session (CVE-2015-8036). The mbedtls package has been updated to version 1.3.16, which contains several other bug fixes, security fixes, and security enhancements. The hiawatha package, which uses the polarssl/mbedtls library, has been updated to version 9.13 for improved compatibility. The belle-sip library package has been updated to version 1.4.2 for improved compatibility and the linphone package has been rebuilt against mbedtls. The pdns package has also been rebuilt against mbedtls.