Your message dated Fri, 08 Sep 2017 22:17:08 +0000 with message-id <e1dqrag-000iug...@fasolo.debian.org> and subject line Bug#873557: fixed in mbedtls 2.4.2-1+deb9u1 has caused the Debian Bug report #873557, regarding mbedtls: CVE-2017-14032: authentication bypass to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 873557: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873557 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mbedtls Version: 2.1.2-1 Severity: grave Tags: security Hi, The following security advisory was published for mbedtls: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02 [Vulnerability] If a malicious peer supplies an X.509 certificate chain that has more than MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (which by default is 8), it could bypass authentication of the certificates, when the authentication mode was set to 'optional' eg. MBEDTLS_SSL_VERIFY_OPTIONAL. The issue could be triggered remotely by both the client and server sides. If the authentication mode, which can be set by the function mbedtls_ssl_conf_authmode(), was set to 'required' eg. MBEDTLS_SSL_VERIFY_REQUIRED which is the default, authentication would occur normally as intended. [Impact] Depending on the platform, an attack exploiting this vulnerability could allow successful impersonation of the intended peer and permit man-in-the-middle attacks. The advisory states that only mbedtls >= 1.3.10 is affected, which means that jessie's version of polarssl is not affected. I think this is the commit which fixes this, but I have not checked yet: https://github.com/ARMmbed/mbedtls/commit/31458a18788b0cf0b722acda9bb2f2fe13a3fb32 James
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---Source: mbedtls Source-Version: 2.4.2-1+deb9u1 We believe that the bug you reported is fixed in the latest version of mbedtls, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 873...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James Cowgill <jcowg...@debian.org> (supplier of updated mbedtls package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 01 Sep 2017 09:29:59 +0100 Source: mbedtls Binary: libmbedtls-dev libmbedcrypto0 libmbedtls10 libmbedx509-0 libmbedtls-doc Architecture: source Version: 2.4.2-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: James Cowgill <jcowg...@debian.org> Changed-By: James Cowgill <jcowg...@debian.org> Description: libmbedcrypto0 - lightweight crypto and SSL/TLS library - crypto library libmbedtls-dev - lightweight crypto and SSL/TLS library - development files libmbedtls-doc - lightweight crypto and SSL/TLS library - documentation libmbedtls10 - lightweight crypto and SSL/TLS library - tls library libmbedx509-0 - lightweight crypto and SSL/TLS library - x509 certificate library Closes: 873557 Changes: mbedtls (2.4.2-1+deb9u1) stretch-security; urgency=high . * Fix CVE-2017-14032: If optional authentication is configured, allows remote attackers to bypass peer authentication via an X.509 certificate chain with many intermediates. (Closes: #873557) Checksums-Sha1: 387483bc2864ffbad43d7d8d9550d981b021f878 2248 mbedtls_2.4.2-1+deb9u1.dsc 71e0aa93e4548611fdb15af93e8b93b30c764e4c 1925368 mbedtls_2.4.2.orig.tar.gz a834a8283e89aabcb7fb5eb53a01a33f798f971d 12424 mbedtls_2.4.2-1+deb9u1.debian.tar.xz 33faeaa5af8aa12b27fb67b04072209d2a073456 6171 mbedtls_2.4.2-1+deb9u1_source.buildinfo Checksums-Sha256: dca38409f50f68221a7c452a8d446ecbca41ce24c4bcdb6a33a5ed7911df35a9 2248 mbedtls_2.4.2-1+deb9u1.dsc 17dd98af7478aadacc480c7e4159e447353b5b2037c1b6d48ed4fd157fb1b018 1925368 mbedtls_2.4.2.orig.tar.gz 9059433533496b9ed2b63d77c121c25d80ff64f72432788361dff07dc9894cec 12424 mbedtls_2.4.2-1+deb9u1.debian.tar.xz 009d3e996cf72b9d19717af294b32e2338c076c0431d6e3a22c7bb1574f34c2b 6171 mbedtls_2.4.2-1+deb9u1_source.buildinfo Files: 5cc1dcccc78d00eda04d9b15e1bf2d2d 2248 libs optional mbedtls_2.4.2-1+deb9u1.dsc 8e3a8357e0fc23a3954a819027f5167e 1925368 libs optional mbedtls_2.4.2.orig.tar.gz bb1c71888e031b85de4d4dbbae2d32de 12424 libs optional mbedtls_2.4.2-1+deb9u1.debian.tar.xz db358bec72552b71eaf3ef9762df0168 6171 libs optional mbedtls_2.4.2-1+deb9u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlmwOUkUHGpjb3dnaWxs QGRlYmlhbi5vcmcACgkQx/FnbeotAe94Jg/9F+D/OfD3tHg/jpxZID/kaQgZ5dou n0r8e6s2TFr69pBGQZYYmO5Qs4yhkaXFhUKt/JfojMcvkEozBxc/OYJSUug7T2b4 9tlsfY8EDbXHSDKHU5y0kFEpOaKG0hruCTaocGuW0oWqY0eFWGML9bghyuY+guzt 6XI65fGJTg9YOFX+jntD7F5KaYbNf9IavrDaKZEl9Wx2DthwGWqt2ITrbnxqMct2 R74N5FJjhmEegc7OnnzIfLbvSqkcuXu/xRmm47VaYwwLLzU5br6fPNE60TZg7UNk +6ZmAAxuoYyu4bHfVo0C3yTufQGCqEbqIuFP0U9WSfBt9/YuO407C9cV96NpupR0 TI0D4SDW8eTz8ySGYaKGMD7dAd/bEjhp7iBV6fiKRRii3jXBBKOYfWhDweLS8mbh /KWVj/32HCdeSP3hY+MvvJOpcCgRDrNu7Aa+OsYNoTA1lgVQVS60ALsuDC4TgsRK oBW6BBR4+RQc1jfGW/qpI58u73rU2GlzTm+yZ3eDCd1JCUbcd0M26oOBjPpuVipU Drt86lQVWzO7a4KI82qH6jL4EU+jFwehc+WpUlKyjotfAABcapBGcBCivZqernp9 jh+vYFqfM92mB4uUKsxK5U2iRMr2iHQPz/7r1qArhAMCMACvJ2paWC0AE7WqU3uq 9sqB6vKS/IldzJI= =Kh9F -----END PGP SIGNATURE-----
--- End Message ---
