Your message dated Tue, 29 Aug 2017 17:11:34 +0000
with message-id <[email protected]>
and subject line Bug#873557: fixed in mbedtls 2.6.0-1
has caused the Debian Bug report #873557,
regarding mbedtls: possible authentication bypass
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
873557: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873557
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: mbedtls
Version: 2.1.2-1
Severity: grave
Tags: security
Hi,
The following security advisory was published for mbedtls:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02
[Vulnerability]
If a malicious peer supplies an X.509 certificate chain that has more
than MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (which by default is
8), it could bypass authentication of the certificates, when the
authentication mode was set to 'optional' eg.
MBEDTLS_SSL_VERIFY_OPTIONAL. The issue could be triggered remotely by
both the client and server sides.
If the authentication mode, which can be set by the function
mbedtls_ssl_conf_authmode(), was set to 'required' eg.
MBEDTLS_SSL_VERIFY_REQUIRED which is the default, authentication would
occur normally as intended.
[Impact]
Depending on the platform, an attack exploiting this vulnerability could
allow successful impersonation of the intended peer and permit
man-in-the-middle attacks.
The advisory states that only mbedtls >= 1.3.10 is affected, which means
that jessie's version of polarssl is not affected.
I think this is the commit which fixes this, but I have not checked yet:
https://github.com/ARMmbed/mbedtls/commit/31458a18788b0cf0b722acda9bb2f2fe13a3fb32
James
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: mbedtls
Source-Version: 2.6.0-1
We believe that the bug you reported is fixed in the latest version of
mbedtls, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James Cowgill <[email protected]> (supplier of updated mbedtls package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 29 Aug 2017 16:09:30 +0100
Source: mbedtls
Binary: libmbedtls-dev libmbedcrypto0 libmbedtls10 libmbedx509-0 libmbedtls-doc
Architecture: source
Version: 2.6.0-1
Distribution: unstable
Urgency: high
Maintainer: James Cowgill <[email protected]>
Changed-By: James Cowgill <[email protected]>
Description:
libmbedcrypto0 - lightweight crypto and SSL/TLS library - crypto library
libmbedtls-dev - lightweight crypto and SSL/TLS library - development files
libmbedtls-doc - lightweight crypto and SSL/TLS library - documentation
libmbedtls10 - lightweight crypto and SSL/TLS library - tls library
libmbedx509-0 - lightweight crypto and SSL/TLS library - x509 certificate
library
Closes: 873557
Changes:
mbedtls (2.6.0-1) unstable; urgency=high
.
* New upstream version.
- Fixes possible authentication bypass if a peer supplies a certificate
chain with more than 8 intermediates. (Closes: #873557)
.
* debian/copyright:
- Update copyright dates.
- Use https Format URL.
* debian/control:
- Bump standards to 4.1.0 (no changes required).
- Use debhelper compat 10.
* debian/libmbedcrypto0.symbols:
- Add new symbols from 2.6.0.
* debian/patches:
- Refresh config patch.
- Drop all stubs patches - upstream reverted the ABI breakage.
Checksums-Sha1:
29442316b62139fa2be3aa5036ad8ad38bba4bb1 2221 mbedtls_2.6.0-1.dsc
e914288da50977f541773f9d36e26f14926594a5 1973397 mbedtls_2.6.0.orig.tar.gz
8929984bf729d0fbe0afb09191c62d2878b0033c 11048 mbedtls_2.6.0-1.debian.tar.xz
b9c8e2304d2610ffc2a320ed3b1e5202f2bc5b4e 6203 mbedtls_2.6.0-1_source.buildinfo
Checksums-Sha256:
681980e13390160cecd0f3e69834106bde148c007333b39869f4a9f79e3f34cb 2221
mbedtls_2.6.0-1.dsc
99bc9d4212d3d885eeb96273bcde8ecc649a481404b8d7ea7bb26397c9909687 1973397
mbedtls_2.6.0.orig.tar.gz
54462b68263620ba138e4db0382b4ac519d2720a8e076045429f5124ac2633c9 11048
mbedtls_2.6.0-1.debian.tar.xz
301740075c97640356cfa0b71e116fc66d583a2d1b16794a053a526a4f536288 6203
mbedtls_2.6.0-1_source.buildinfo
Files:
4530e7540dbbc2ef06b1f157a5e0eed8 2221 libs optional mbedtls_2.6.0-1.dsc
01ede06f7d00dd8a6626494d95a63f6b 1973397 libs optional
mbedtls_2.6.0.orig.tar.gz
f153259dca5eee01b0e9934045d0f393 11048 libs optional
mbedtls_2.6.0-1.debian.tar.xz
315b4afe8efd9e64070b9a396b28f4e2 6203 libs optional
mbedtls_2.6.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlmlg9oUHGpjb3dnaWxs
QGRlYmlhbi5vcmcACgkQx/FnbeotAe8y8Q//WptEO4zBX1TUXj54+PQuackLZqdm
5H5GOntXV5rFj+mIeVJdeJSU1yrVNyXexH9KBAsUKzr7GdhGbeeZ8+CL4wNLVb3D
oXLCuGXa8PsKpfdYeTL4mpj4w3gn1qHzcfO7zENdhuA9Yq1rmet2tLKmV2MmML1H
58H0qjNnkDw1bInShE4r+Scg6mWUkkZrri4d6OjTserRqQjR38VsL1cnmPIiukso
Oi/Ut3s1QtwlBWcklhFNJ4YUBQ89j5HC8cR6X9vzS8zDTV0JO07Djy2FTf6SJ7Kd
ae4NU5w0dGkeHGM8uaMkWcBSeeAk2fli3EvGugAvzHEXcVBwCpTdOfMhGo5u7jrN
22uStOFscaXe5BdJzzfhRyR9iPnBCLsikTwtSPicjcm6wGPP2xFItBMReM0EMJRv
9qK58bvIpxKRuwO/QiS6GW3JnsP/rvfer3ckuG4YohoC6vNeHBrD+TkFVmzOo3rd
5MDP/DJaJr+0YYrBT0FzhGVCp8D8v6Hf2PM6S1pgnfBJIv0u+SusGtT3sROlqXSC
jkCKoKwQzS1NKlrd65pQHXk/bf9r3n6uMBqq4ZfwtF0GpbHVgB6qEnfZfR/FRsWJ
lBH3QwI+3ZsIT++PvkCNgGTmDbm46dvVYU0PlMTdal2O8rNmfVjbm12hdUjVlHhG
CAJu23Lh3Q5U7Kc=
=DHhC
-----END PGP SIGNATURE-----
--- End Message ---
