{ "schema_version": "1.7.0", "id": "MGASA-2016-0054", "published": "2016-02-09T13:05:25Z", "modified": "2016-02-09T12:43:02Z", "summary": "Updated mbedtls/hiawatha/belle-sip/linphone/pdns packages fix security vulnerability", "details": "Note: this package was called polarssl, but is now called mbed tls. The\nPolarSSL software is now called mbed TLS.\n\nHeap-based buffer overflow in mbed TLS (formerly PolarSSL) 1.3.x before\n1.3.14 allows remote SSL servers to cause a denial of service\n(client crash) and possibly execute arbitrary code via a long hostname to\nthe server name indication (SNI) extension, which is not properly handled\nwhen creating a ClientHello message (CVE-2015-5291).\n\nHeap-based buffer overflow in mbed TLS (formerly PolarSSL) 1.3.x before\n1.3.14 allows remote SSL servers to cause a denial of service\n(client crash) and possibly execute arbitrary code via a long session\nticket name to the session ticket extension, which is not properly\nhandled when creating a ClientHello message to resume a session\n(CVE-2015-8036).\n\nThe mbedtls package has been updated to version 1.3.16, which contains\nseveral other bug fixes, security fixes, and security enhancements.\n\nThe hiawatha package, which uses the polarssl/mbedtls library, has been\nupdated to version 9.13 for improved compatibility.\n\nThe belle-sip library package has been updated to version 1.4.2 for\nimproved compatibility and the linphone package has been rebuilt against\nmbedtls.\n\nThe pdns package has also been rebuilt against mbedtls.\n", "upstream": [ "CVE-2015-5291", "CVE-2015-8036" ], "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2016-0054.html" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=17187" }, { "type": "WEB", "url": "https://tls.mbed.org/tech-updates/releases/mbedtls-1.3.10-released" }, { "type": "WEB", "url": "https://tls.mbed.org/tech-updates/releases/mbedtls-1.3.11-released" }, { "type": "WEB", "url": "https://tls.mbed.org/tech-updates/releases/polarssl-1.2.15-and-mbedtls-1.3.12-released" }, { "type": "WEB", "url": "https://tls.mbed.org/tech-updates/releases/mbedtls-2.1.1-and-1.3.13-and-polarssl-1.2.16-released" }, { "type": "WEB", "url": "https://tls.mbed.org/tech-updates/releases/mbedtls-2.1.2-and-1.3.14-and-polarssl-1.2.17-released" }, { "type": "WEB", "url": "https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.0-2.1.3-1.3.15-and-polarssl.1.2.18-released" }, { "type": "WEB", "url": "https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.1-2.1.4-1.3.16-and-polarssl.1.2.19-released" }, { "type": "ADVISORY", "url": "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/pipermail/package-announce/2015-June/159916.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/pipermail/package-announce/2015-October/169765.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175762.html" } ], "affected": [ { "package": { "ecosystem": "Mageia:5", "name": "mbedtls", "purl": "pkg:rpm/mageia/mbedtls?arch=source&distro=mageia-5" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.3.16-1.mga5" } ] } ], "ecosystem_specific": { "section": "core" } }, { "package": { "ecosystem": "Mageia:5", "name": "hiawatha", "purl": "pkg:rpm/mageia/hiawatha?arch=source&distro=mageia-5" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "9.13-1.mga5" } ] } ], "ecosystem_specific": { "section": "core" } }, { "package": { "ecosystem": "Mageia:5", "name": "belle-sip", "purl": "pkg:rpm/mageia/belle-sip?arch=source&distro=mageia-5" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.4.2-1.mga5" } ] } ], "ecosystem_specific": { "section": "core" } }, { "package": { "ecosystem": "Mageia:5", "name": "linphone", "purl": "pkg:rpm/mageia/linphone?arch=source&distro=mageia-5" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.8.1-1.1.mga5" } ] } ], "ecosystem_specific": { "section": "core" } }, { "package": { "ecosystem": "Mageia:5", "name": "pdns", "purl": "pkg:rpm/mageia/pdns?arch=source&distro=mageia-5" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.3.3-1.1.mga5" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }