Fedora has issued an advisory on September 11: https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115922.html The issue is fixed upstream in version 1.2.8. There is also an upstream advisory: https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-03 Mageia 3 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Whoops. There's more security fixes here... https://polarssl.org/tech-updates/releases/polarssl-1.2.6-released CVE-2013-0169 - TLS and DTLS protocol issue (Lucky Thirteen) CVE-2013-1621 - Out-of-bounds comparisons
1.2.8 has been submitted to cauldron.
1.2.8 has been submitted to mga3.
Thanks Oden! Advisory to come. Packages built: -------------- polarssl-1.2.8-1.mga3 libpolarssl2-1.2.8-1.mga3 libpolarssl-devel-1.2.8-1.mga3 from polarssl-1.2.8-1.mga3.src.rpm
CC: (none) => oeVersion: Cauldron => 3Assignee: oe => qa-bugsWhiteboard: MGA3TOO => (none)
Oden, FYI the CVE entry for CVE-2013-1621 says it affects versions before 1.2.5. It could be wrong, as the CVE entries are sometimes. Advisory: ======================== Updated polarssl packages fix security vulnerability: The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in PolarSSL before 1.2.6, does not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext- recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue (CVE-2013-0169). Array index error in the SSL module in PolarSSL before 1.2.6 might allow remote attackers to cause a denial of service via vectors involving a crafted padding-length value during validation of CBC padding in a TLS session (CVE-2013-1621). A third party can set up a SSL/TLS handshake with a server and send a malformed Certificate handshake message that results in an infinite loop for that connection. With a Man-in-the-Middle attack on a client, a third party can trigger the same infinite loop on a client (CVE-2013-4623). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1621 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4623 https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-01 https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-03 https://polarssl.org/tech-updates/releases/polarssl-1.2.6-released https://polarssl.org/tech-updates/releases/polarssl-1.2.7-released https://polarssl.org/tech-updates/releases/polarssl-1.2.8-released https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115922.html ======================== Updated packages in core/updates_testing: ======================== polarssl-1.2.8-1.mga3 libpolarssl2-1.2.8-1.mga3 libpolarssl-devel-1.2.8-1.mga3 from polarssl-1.2.8-1.mga3.src.rpm
Advisory 11275.adv committed to svn.
CC: (none) => davidwhodgins
No poc, so just testing using polarssl-selftest. Testing complete on Mageia 3 i586 and x86_64. Someone from the sysadmin team please push 11275.adv to updates.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA3-64-OK MGA3-32-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0290.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED