Advisories ยป MGASA-2017-0094

Updated mbedtls packages fix security vulnerability

Publication date: 27 Mar 2017
Type: security
Affected Mageia releases : 5
CVE: CVE-2017-2784

Description

In mbedTLS before 1.3.19, if a malicious peer supplies a certificate with
a specially crafted secp224k1 public key, then an attacker can cause the
server or client to attempt to free block of memory held on stack.
Depending on the platform, this could result in a Denial of Service
(client crash) or potentially could be exploited to allow remote code
execution with the same privileges as the host application
(CVE-2017-2784).

The mbedtls package has been updated to version 1.3.19, fixing this issue
as well as other security issues and bugs.
                

References

SRPMS

5/core