Bug 11275 - polarssl new security issue CVE-2013-4623
: polarssl new security issue CVE-2013-4623
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/567930/
: MGA3-64-OK MGA3-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-09-23 19:26 CEST by David Walser
Modified: 2013-09-24 23:46 CEST (History)
4 users (show)

See Also:
Source RPM: polarssl-1.2.5-1.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-09-23 19:26:06 CEST
Fedora has issued an advisory on September 11:
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115922.html

The issue is fixed upstream in version 1.2.8.

There is also an upstream advisory:
https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-03

Mageia 3 is also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-09-24 10:19:12 CEST
Whoops. There's more security fixes here...

https://polarssl.org/tech-updates/releases/polarssl-1.2.6-released


    CVE-2013-0169 - TLS and DTLS protocol issue (Lucky Thirteen)
    CVE-2013-1621 - Out-of-bounds comparisons
Comment 2 Oden Eriksson 2013-09-24 10:22:02 CEST
1.2.8 has been submitted to cauldron.
Comment 3 Oden Eriksson 2013-09-24 10:31:32 CEST
1.2.8 has been submitted to mga3.
Comment 4 David Walser 2013-09-24 12:27:10 CEST
Thanks Oden!

Advisory to come.

Packages built:
--------------
polarssl-1.2.8-1.mga3
libpolarssl2-1.2.8-1.mga3
libpolarssl-devel-1.2.8-1.mga3

from polarssl-1.2.8-1.mga3.src.rpm
Comment 5 David Walser 2013-09-24 14:35:45 CEST
Oden, FYI the CVE entry for CVE-2013-1621 says it affects versions before 1.2.5.  It could be wrong, as the CVE entries are sometimes.

Advisory:
========================

Updated polarssl packages fix security vulnerability:

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in
PolarSSL before 1.2.6, does not properly consider timing side-channel attacks
on a MAC check requirement during the processing of malformed CBC padding,
which allows remote attackers to conduct distinguishing attacks and plaintext-
recovery attacks via statistical analysis of timing data for crafted packets,
aka the "Lucky Thirteen" issue (CVE-2013-0169).

Array index error in the SSL module in PolarSSL before 1.2.6 might allow
remote attackers to cause a denial of service via vectors involving a crafted
padding-length value during validation of CBC padding in a TLS session
(CVE-2013-1621).

A third party can set up a SSL/TLS handshake with a server and send a
malformed Certificate handshake message that results in an infinite loop for
that connection. With a Man-in-the-Middle attack on a client, a third party
can trigger the same infinite loop on a client (CVE-2013-4623).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1621
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4623
https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-01
https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-03
https://polarssl.org/tech-updates/releases/polarssl-1.2.6-released
https://polarssl.org/tech-updates/releases/polarssl-1.2.7-released
https://polarssl.org/tech-updates/releases/polarssl-1.2.8-released
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115922.html
========================

Updated packages in core/updates_testing:
========================
polarssl-1.2.8-1.mga3
libpolarssl2-1.2.8-1.mga3
libpolarssl-devel-1.2.8-1.mga3

from polarssl-1.2.8-1.mga3.src.rpm
Comment 6 Dave Hodgins 2013-09-24 20:44:52 CEST
Advisory 11275.adv committed to svn.
Comment 7 Dave Hodgins 2013-09-24 23:31:07 CEST
No poc, so just testing using polarssl-selftest.
Testing complete on Mageia 3 i586 and x86_64.

Someone from the sysadmin team please push 11275.adv to updates.
Comment 8 Thomas Backlund 2013-09-24 23:46:44 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0290.html

Note You need to log in before you can comment on or make changes to this bug.