Source: axtls Version: 2.1.5+ds-1 Severity: grave Tags: security upstream Hi,
The following vulnerabilities were published for axtls. CVE-2019-9689[0]: | process_certificate in tls1.c in Cameron Hamilton-Rich axTLS through | 2.1.5 has a Buffer Overflow via a crafted TLS certificate handshake | message with zero certificates. CVE-2019-10013[1]: | The asn1_signature function in asn1.c in Cameron Hamilton-Rich axTLS | through 2.1.5 has a Buffer Overflow that allows remote attackers to | cause a denial of service (memory and CPU consumption) via a crafted | certificate in the TLS certificate handshake message, because the | result of get_asn1_length() is not checked for a minimum or maximum | size. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-9689 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9689 [1] https://security-tracker.debian.org/tracker/CVE-2019-10013 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10013 [2] https://seclists.org/bugtraq/2019/Nov/44 Regards, Salvatore
