Your message dated Fri, 30 Mar 2018 19:53:05 +0000 with message-id <e1f205b-0005ek...@fasolo.debian.org> and subject line Bug#890287: fixed in polarssl 1.3.9-2.1+deb8u3 has caused the Debian Bug report #890287, regarding mbedtls: CVE-2018-0488 - Risk of remote code execution when truncated HMAC is enabled to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 890287: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890287 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mbedtls Version: 2.1.2-1 Severity: grave Tags: security https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01 Vulnerability When the truncated HMAC extension is enabled and CBC is used, sending a malicious application packet can be used to selectively corrupt 6 bytes on the peer's heap, potentially leading to a crash or remote code execution. This can be triggered remotely from either side in both TLS and DTLS. If the truncated HMAC extension, which can be set by the compile time option MBEDTLS_SSL_TRUNCATED_HMAC in config.h, is disabled when compiling the library, then the vulnerability is not present. The truncated HMAC extension is enabled in the default configuration. The vulnerability is only present if * The compile-time option MBEDTLS_SSL_TRUNCATED_HMAC is set in config.h. (It is set by default) AND * The truncated HMAC extension is explicitly offered by calling mbedtls_ssl_conf_truncated_hmac(). (It is not offered by default) Impact Depending on the platform, an attack exploiting this vulnerability could lead to an application crash or allow remote code execution. Resolution Affected users should upgrade to Mbed TLS 1.3.22, Mbed TLS 2.1.10 or Mbed TLS 2.7.0. Workaround Users should wherever possible upgrade to the newer version of Mbed TLS. Where this is not practical, users should consider disabling the truncated HMAC extension by removing any call to mbedtls_ssl_conf_truncated_hmac() in their application, and the option MBEDTLS_SSL_TRUNCATED_HMAC in the Mbed TLS configuration is practical for their application.
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---Source: polarssl Source-Version: 1.3.9-2.1+deb8u3 We believe that the bug you reported is fixed in the latest version of polarssl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 890...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James Cowgill <jcowg...@debian.org> (supplier of updated polarssl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 20 Mar 2018 17:59:03 +0000 Source: polarssl Binary: libpolarssl-dev libpolarssl-runtime libpolarssl7 Architecture: source Version: 1.3.9-2.1+deb8u3 Distribution: jessie-security Urgency: medium Maintainer: Roland Stigge <sti...@antcom.de> Changed-By: James Cowgill <jcowg...@debian.org> Description: libpolarssl-dev - lightweight crypto and SSL/TLS library libpolarssl-runtime - lightweight crypto and SSL/TLS library libpolarssl7 - lightweight crypto and SSL/TLS library Closes: 890287 890288 Changes: polarssl (1.3.9-2.1+deb8u3) jessie-security; urgency=medium . * Fix CVE-2017-18187: Unsafe bounds check in ssl_parse_client_psk_identity(). * Fix CVE-2018-0487: Buffer overflow when verifying RSASSA-PSS signatures. (Closes: #890288) * Fix CVE-2018-0488: Buffer overflow when truncated HMAC is enabled. (Closes: #890287) Checksums-Sha1: 4b843426c0417fcb0d00ff10a7839f1b99fdf0df 1930 polarssl_1.3.9-2.1+deb8u3.dsc 0fa2ecded8576f3768f5cc606a21984df083cfce 15496 polarssl_1.3.9-2.1+deb8u3.debian.tar.xz fa6d549d0f7701186957152291e08538c4c2f229 5747 polarssl_1.3.9-2.1+deb8u3_source.buildinfo Checksums-Sha256: 66174a84b18cccf01ee26ff3da3aaa8483beac0aade710dfcdf240992f5ba434 1930 polarssl_1.3.9-2.1+deb8u3.dsc 79c66f0394796dcbf023261d52917e2d7a0b7835a90f2f422b106f21ea2e98ff 15496 polarssl_1.3.9-2.1+deb8u3.debian.tar.xz a59c2dfee5466818c194883f03e5645d5f63630fff824fe369594cc584274362 5747 polarssl_1.3.9-2.1+deb8u3_source.buildinfo Files: f09da7fe1eb97c815ab4a32afb97451a 1930 libs optional polarssl_1.3.9-2.1+deb8u3.dsc d574a3dd1ec0a191bf9b7616c2357e8e 15496 libs optional polarssl_1.3.9-2.1+deb8u3.debian.tar.xz d38d0079688b6f0b62c26914e4c129ce 5747 libs optional polarssl_1.3.9-2.1+deb8u3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlqyKHcUHGpjb3dnaWxs QGRlYmlhbi5vcmcACgkQx/FnbeotAe8RRQ/8DKBLtY2v7jzmoTyxKS1XzyoqbOtl eu5ZiA54eEWWQY5DfkqJJipWOOMtek3taMnZ+qGM7KWlbfyj9QjusxkhDlVOrNxk uI33x6q26PAlahR29vTS3EFNpN5RRS1y6jsqb98R2Jf3x3KBYpqVZFu/BC2gRWW/ vhp1qZn8qSSy4XA1dlEp1XDiLFEhLFuUyqmg0gZyTRa5jPXCRHH/swKBR5jbibWg S0cMSyNk3mK97w3dOzgkDFozWTmFbL/zGv76qzA5d38Z+SHo2fp8darNsV0Q1F3o yBtY6q+MT85bugvh427sZAE4LpCNbiItLXzJ7aohPa88COIETa66WZdJ/R5vb+Yj Pa5KrfmoE+0k0g5WdGMwwOoi0DoFHHtdb2twNKll5jcFSkiXdoLoYATcW7z83g4K f9P+aq5Q27eQDB8LUI/vZYXbj9pS/WU0o9f881OiTV5MqE3pNU4xTS/rGLSJnh5Y 87Fx+eG41W+TIFmCw8T4sZUIUymaFq326CQVkcWgLJGit39pz+2zyvao31DU0Ylk /fOrnswPfOoAuI5CJNAojk3LaOZH3ATJSl2LMgeFN5kesuvS49huwJW5vGYD0bwk G4pMOVsYlOyZ4JM+p1NRhmybdrRM5+i2Kc1xTvnn8eJyyPL4fGO46zHuYRe4Y6y/ GhwoY8NEDFTvNIQ= =JiJF -----END PGP SIGNATURE-----
--- End Message ---
