Updated mbedtls packages fix security vulnerabilities
Publication date: 03 Nov 2018Modification date: 03 Nov 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2018-0497 , CVE-2018-0498
Description
Updated mbedtls package fixes security vulnerabilities: Fixed a vulnerability in the TLS ciphersuites based on use of CBC and SHA-384 in DTLS/TLS 1.0 to 1.2, that allowed an active network attacker to partially recover the plaintext of messages under certains conditions by exploiting timing side-channels (CVE-2018-0497). Fixed a vulnerability in TLS ciphersuites based on CBC, in DTLS/TLS 1.0 to 1.2, that allowed a local attacker, with the ability to execute code on the local machine as well as to manipulate network packets, to partially recover the plaintext of messages under certain conditions (CVE-2018-0498). Fixed an issue in the X.509 module which could lead to a buffer overread during certificate extensions parsing (no CVE assigned).
References
- https://bugs.mageia.org/show_bug.cgi?id=23660
- https://tls.mbed.org/tech-updates/releases/mbedtls-2.12.0-2.7.5-and-2.1.14-released
- https://tls.mbed.org/tech-updates/releases/mbedtls-2.13.0-2.7.6-and-2.1.15-released
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0497
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0498
SRPMS
6/core
- mbedtls-2.7.6-1.mga6