Your message dated Sat, 27 May 2017 12:33:40 +0000
with message-id <[email protected]>
and subject line Bug#857561: fixed in polarssl 1.3.9-2.1+deb8u2
has caused the Debian Bug report #857561,
regarding polarssl: CVE-2017-2784: Freeing of memory allocated on stack when
validating a public key with a secp224k1 curve
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
857561: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857561
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libmbedcrypto0
Version: 2.4.0-1
Severity: grave
Tags: security
Control: clone -1 -2
Control: reassign -2 libpolarssl7 1.3.9-2.1+deb8u1
Control: retitle -2 polarssl: CVE-2017-2748 - Freeing of memory allocated on
stack when validating a public key with a secp224k1 curve
Hi all,
This security advisory was recently published and contains one "high"
severity bug:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-01
The security changelog for 2.4.2 also contains fixes for some other
bugs as well. The 3rd bug (relating to SLOTH) does not affect polarssl.
= mbed TLS 2.4.2 branch released 2017-03-08
Security
* Add checks to prevent signature forgeries for very large messages while
using RSA through the PK module in 64-bit systems. The issue was caused by
some data loss when casting a size_t to an unsigned int value in the
functions rsa_verify_wrap(), rsa_sign_wrap(), rsa_alt_sign_wrap() and
mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.
* Fixed potential livelock during the parsing of a CRL in PEM format in
mbedtls_x509_crl_parse(). A string containing a CRL followed by trailing
characters after the footer could result in the execution of an infinite
loop. The issue can be triggered remotely. Found by Greg Zaverucha,
Microsoft.
* Removed MD5 from the allowed hash algorithms for CertificateRequest and
CertificateVerify messages, to prevent SLOTH attacks against TLS 1.2.
Introduced by interoperability fix for #513.
* Fixed a bug that caused freeing a buffer that was allocated on the stack,
when verifying the validity of a key on secp224k1. This could be
triggered remotely for example with a maliciously constructed certificate
and potentially could lead to remote code execution on some platforms.
Reported independently by rongsaws and Aleksandar Nikolic, Cisco Talos
team. #569 CVE-2017-2784
Thanks,
James
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: polarssl
Source-Version: 1.3.9-2.1+deb8u2
We believe that the bug you reported is fixed in the latest version of
polarssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James Cowgill <[email protected]> (supplier of updated polarssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 09 May 2017 09:42:21 +0100
Source: polarssl
Binary: libpolarssl-dev libpolarssl-runtime libpolarssl7
Architecture: source
Version: 1.3.9-2.1+deb8u2
Distribution: jessie
Urgency: high
Maintainer: Roland Stigge <[email protected]>
Changed-By: James Cowgill <[email protected]>
Description:
libpolarssl-dev - lightweight crypto and SSL/TLS library
libpolarssl-runtime - lightweight crypto and SSL/TLS library
libpolarssl7 - lightweight crypto and SSL/TLS library
Closes: 857561
Changes:
polarssl (1.3.9-2.1+deb8u2) jessie; urgency=high
.
* Fix CVE-2017-2784: Freeing of memory allocated on stack when
validating a public key with a secp224k1 curve. (Closes: #857561)
Checksums-Sha1:
917394c6dc4bc3b6d52631e4966bf3dc36890852 1898 polarssl_1.3.9-2.1+deb8u2.dsc
dbdf2ef546952e9c1c163266074b3d9a579d7b8b 9600
polarssl_1.3.9-2.1+deb8u2.debian.tar.xz
affd95436ea21972e41ec193401f01591ef44f3c 5575
polarssl_1.3.9-2.1+deb8u2_source.buildinfo
Checksums-Sha256:
924b06b5bb03ab5cd9981b57fca713ff156df04b43ceb06587d6559d8265125a 1898
polarssl_1.3.9-2.1+deb8u2.dsc
3a445eb6efb0207b1d949019ee4e2ddadde6807a9d96eac724a3ba2762d2483f 9600
polarssl_1.3.9-2.1+deb8u2.debian.tar.xz
73d80573ddc8658e3d513698ee1f220667a3675f186f40827f54f4fa4dd0cc11 5575
polarssl_1.3.9-2.1+deb8u2_source.buildinfo
Files:
96673751fcb0634f400a83f587f1437d 1898 libs optional
polarssl_1.3.9-2.1+deb8u2.dsc
e07fff4c09d47586fc62b4f62135dc67 9600 libs optional
polarssl_1.3.9-2.1+deb8u2.debian.tar.xz
e31f53055633f37f134231a6895a84c5 5575 libs optional
polarssl_1.3.9-2.1+deb8u2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlkSz2wACgkQx/Fnbeot
Ae8EtxAArVdlR0G+bLtKcV41HP8SPziJCWRS8JzsnWsrtJzonnVx0/bp1uBO55uQ
gsmUXgHToTfEOxNgAVJw8Z5wclUkII+NPBA16RbNe6/xpyyqlZS9tZ69lRLOFRtb
so0vsd4BUgfz/4KQITN70n/rAEvbpawJPmp2XUNhmpzTvnwQiDMzuliEApyXknkh
NpBlX+rc1gHRiJZRrQ6s8Rrj/MPMx6Cn0BUFovTRLZhi4mYWVK/qnSV0Xx4/dM2R
OhuTAs1A3/X0BFNP0p3zTdLVrJBTqqolYcN9Kl5oB/EhtTBOygoV8s5TeSnaoEbr
UjBGgOcanPYPD9DPpPYJ/JTOZJGzosqbmSTJMItntTRh7Kj4FLLtySWyJTbZRWWD
z7fI0F0A3+qc/04OigIB0ggW8T9Ew4/ECn+lrrL4h1MHZIHIu8jnCtgO5Qc9Fq2R
raI9aHvBMMn7HNDmXfGsyBkc+qFm2jtnLcMyShmWU0h8X6B4iVXgL1aYZsjRyKLm
7vy/2B0wB9BLk3ZueZW9HnYeqgBFpgiMkOiAFIZE6IBFBOIqI3TBiHKOQBzo/aKB
vS7C0q3H+NPzcFJN1xvaqlYA3ykaSIHEEB72l0l2T8i3SKeHEzO57AfuQClKjZ/a
pddjgOT8ZG/TMmx2q07CZzRMidEG+nY6PO9iW02OiZochCkaP4M=
=H9Fc
-----END PGP SIGNATURE-----
--- End Message ---
