Advisories ยป MGASA-2018-0432

Updated mbedtls packages fix security vulnerabilities

Publication date: 03 Nov 2018
Modification date: 03 Nov 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2018-0497 , CVE-2018-0498

Description

Updated mbedtls package fixes security vulnerabilities:

Fixed a vulnerability in the TLS ciphersuites based on use of CBC and
SHA-384 in DTLS/TLS 1.0 to 1.2, that allowed an active network attacker
to partially recover the plaintext of messages under certains conditions
by exploiting timing side-channels (CVE-2018-0497).

Fixed a vulnerability in TLS ciphersuites based on CBC, in DTLS/TLS 1.0
to 1.2, that allowed a local attacker, with the ability to execute code
on the local machine as well as to manipulate network packets, to partially
recover the plaintext of messages under certain conditions (CVE-2018-0498).

Fixed an issue in the X.509 module which could lead to a buffer overread
during certificate extensions parsing (no CVE assigned).
                

References

SRPMS

6/core