subject:"Bug#890288\: marked as done \(mbedtls\: CVE\-2018\-0487 \- Risk of remote code execution when verifying RSASSA\-PSS signatures\)"

Bug#890288: marked as done (mbedtls: CVE-2018-0487 - Risk of remote code execution when verifying RSASSA-PSS signatures)

2018-03-30 Thread Debian Bug Tracking System

Your message dated Fri, 30 Mar 2018 19:53:05 +
with message-id 
and subject line Bug#890288: fixed in polarssl 1.3.9-2.1+deb8u3
has caused the Debian Bug report #890288,
regarding mbedtls: CVE-2018-0487 - Risk of remote code execution when verifying 
RSASSA-PSS signatures
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
890288: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890288
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: mbedtls
Version: 2.1.2-1
Severity: grave
Tags: security

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01

Vulnerability
When RSASSA-PSS signature verification is enabled, sending a maliciously
constructed certificate chain can be used to cause a buffer overflow on
the peer's stack, potentially leading to crash or remote code execution.
This can be triggered remotely from either side in both TLS and DTLS.

RSASSA-PSS is the part of PKCS #1 v2.1 standard and can be enabled by
the compile time option MBEDTLS_PKCS1_V21 in config.h. If
MBEDTLS_PKCS1_V21 is disabled when compiling the library, then the
vulnerability is not present. RSASSA-PSS signatures are enabled in the
default configuration.

Impact
Depending on the platform, an attack exploiting this vulnerability could
lead to an application crash or remote code execution.

Resolution
Affected users should upgrade to Mbed TLS 1.3.22, Mbed TLS 2.1.10 or
Mbed TLS 2.7.0.

Workaround
Users should wherever possible upgrade to the newer version of Mbed TLS.
Where this is not practical, users should consider if disabling the
option MBEDTLS_PKCS1_V21 in the Mbed TLS configuration is practical for
their application. Disabling RSASSA-PSS signatures in the verification
profile at runtime is not a sufficient countermeasure.



signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: polarssl
Source-Version: 1.3.9-2.1+deb8u3

We believe that the bug you reported is fixed in the latest version of
polarssl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 890...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Cowgill  (supplier of updated polarssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 20 Mar 2018 17:59:03 +
Source: polarssl
Binary: libpolarssl-dev libpolarssl-runtime libpolarssl7
Architecture: source
Version: 1.3.9-2.1+deb8u3
Distribution: jessie-security
Urgency: medium
Maintainer: Roland Stigge 
Changed-By: James Cowgill 
Description:
 libpolarssl-dev - lightweight crypto and SSL/TLS library
 libpolarssl-runtime - lightweight crypto and SSL/TLS library
 libpolarssl7 - lightweight crypto and SSL/TLS library
Closes: 890287 890288
Changes:
 polarssl (1.3.9-2.1+deb8u3) jessie-security; urgency=medium
 .
   * Fix CVE-2017-18187:
 Unsafe bounds check in ssl_parse_client_psk_identity().
   * Fix CVE-2018-0487:
 Buffer overflow when verifying RSASSA-PSS signatures. (Closes: #890288)
   * Fix CVE-2018-0488:
 Buffer overflow when truncated HMAC is enabled. (Closes: #890287)
Checksums-Sha1:
 4b843426c0417fcb0d00ff10a7839f1b99fdf0df 1930 polarssl_1.3.9-2.1+deb8u3.dsc
 0fa2ecded8576f3768f5cc606a21984df083cfce 15496 
polarssl_1.3.9-2.1+deb8u3.debian.tar.xz
 fa6d549d0f7701186957152291e08538c4c2f229 5747 
polarssl_1.3.9-2.1+deb8u3_source.buildinfo
Checksums-Sha256:
 66174a84b18cccf01ee26ff3da3aaa8483beac0aade710dfcdf240992f5ba434 1930 
polarssl_1.3.9-2.1+deb8u3.dsc
 79c66f0394796dcbf023261d52917e2d7a0b7835a90f2f422b106f21ea2e98ff 15496 
polarssl_1.3.9-2.1+deb8u3.debian.tar.xz
 a59c2dfee5466818c194883f03e5645d5f63630fff824fe369594cc584274362 5747 
polarssl_1.3.9-2.1+deb8u3_source.buildinfo
Files:
 f09da7fe1eb97c815ab4a32afb97451a 1930 libs optional 
polarssl_1.3.9-2.1+deb8u3.dsc
 d574a3dd1ec0a191bf9b7616c2357e8e 15496 libs optional 
polarssl_1.3.9-2.1+deb8u3.debian.tar.xz
 d38d0079688b6f0b62c26914e4c129ce 5747 libs optional 
polarssl_1.3.9-2.1+deb8u3_source.buildinfo

-BEGIN PGP SIGNATURE-

Bug#890288: marked as done (mbedtls: CVE-2018-0487 - Risk of remote code execution when verifying RSASSA-PSS signatures)

2018-03-17 Thread Debian Bug Tracking System

Your message dated Sat, 17 Mar 2018 21:42:29 +
with message-id 
and subject line Bug#890288: fixed in mbedtls 2.4.2-1+deb9u2
has caused the Debian Bug report #890288,
regarding mbedtls: CVE-2018-0487 - Risk of remote code execution when verifying 
RSASSA-PSS signatures
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
890288: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890288
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: mbedtls
Version: 2.1.2-1
Severity: grave
Tags: security

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01

Vulnerability
When RSASSA-PSS signature verification is enabled, sending a maliciously
constructed certificate chain can be used to cause a buffer overflow on
the peer's stack, potentially leading to crash or remote code execution.
This can be triggered remotely from either side in both TLS and DTLS.

RSASSA-PSS is the part of PKCS #1 v2.1 standard and can be enabled by
the compile time option MBEDTLS_PKCS1_V21 in config.h. If
MBEDTLS_PKCS1_V21 is disabled when compiling the library, then the
vulnerability is not present. RSASSA-PSS signatures are enabled in the
default configuration.

Impact
Depending on the platform, an attack exploiting this vulnerability could
lead to an application crash or remote code execution.

Resolution
Affected users should upgrade to Mbed TLS 1.3.22, Mbed TLS 2.1.10 or
Mbed TLS 2.7.0.

Workaround
Users should wherever possible upgrade to the newer version of Mbed TLS.
Where this is not practical, users should consider if disabling the
option MBEDTLS_PKCS1_V21 in the Mbed TLS configuration is practical for
their application. Disabling RSASSA-PSS signatures in the verification
profile at runtime is not a sufficient countermeasure.



signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: mbedtls
Source-Version: 2.4.2-1+deb9u2

We believe that the bug you reported is fixed in the latest version of
mbedtls, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 890...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Cowgill  (supplier of updated mbedtls package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 05 Mar 2018 18:24:47 +
Source: mbedtls
Binary: libmbedtls-dev libmbedcrypto0 libmbedtls10 libmbedx509-0 libmbedtls-doc
Architecture: source
Version: 2.4.2-1+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: James Cowgill 
Changed-By: James Cowgill 
Description:
 libmbedcrypto0 - lightweight crypto and SSL/TLS library - crypto library
 libmbedtls-dev - lightweight crypto and SSL/TLS library - development files
 libmbedtls-doc - lightweight crypto and SSL/TLS library - documentation
 libmbedtls10 - lightweight crypto and SSL/TLS library - tls library
 libmbedx509-0 - lightweight crypto and SSL/TLS library - x509 certificate 
library
Closes: 890287 890288
Changes:
 mbedtls (2.4.2-1+deb9u2) stretch-security; urgency=high
 .
   * Fix CVE-2017-18187:
 Unsafe bounds check in ssl_parse_client_psk_identity().
   * Fix CVE-2018-0487:
 Buffer overflow when verifying RSASSA-PSS signatures. (Closes: #890288)
   * Fix CVE-2018-0488:
 Buffer overflow when truncated HMAC is enabled. (Closes: #890287)
Checksums-Sha1:
 63035736a04d0b6cbae6d6b150c0d41a1ad23004 2248 mbedtls_2.4.2-1+deb9u2.dsc
 2ae3ae3fd203e642cce6f2953ae7edf452885af4 18908 
mbedtls_2.4.2-1+deb9u2.debian.tar.xz
 c0cd4d3a535190d028cbfa6b1ffdeb24262282cc 6713 
mbedtls_2.4.2-1+deb9u2_source.buildinfo
Checksums-Sha256:
 da25c581f6287a26542490736310f8df993893683545600ae9df95be4e412914 2248 
mbedtls_2.4.2-1+deb9u2.dsc
 a7e72e80bdeb44f90555348ad40d5e31ed5f01d66d1583bd9a0ebb11ef7ad7fc 18908 
mbedtls_2.4.2-1+deb9u2.debian.tar.xz
 92179f5483779bb3b96c30f9f9c674964460bb2cdc444f8933f082842b3da02d 6713 
mbedtls_2.4.2-1+deb9u2_source.buildinfo
Files:
 d2e54e46950a48b3f8327288daa16ad3 2248 libs optional mbedtls_2.4.2-1+deb9u2.dsc
 72515ee69ddd36c21e530ca77e5ed047 18908 libs optional

Bug#890288: marked as done (mbedtls: CVE-2018-0487 - Risk of remote code execution when verifying RSASSA-PSS signatures)

2018-02-14 Thread Debian Bug Tracking System

Your message dated Wed, 14 Feb 2018 13:00:12 +
with message-id 
and subject line Bug#890288: fixed in mbedtls 2.7.0-1
has caused the Debian Bug report #890288,
regarding mbedtls: CVE-2018-0487 - Risk of remote code execution when verifying 
RSASSA-PSS signatures
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
890288: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890288
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: mbedtls
Version: 2.1.2-1
Severity: grave
Tags: security

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01

Vulnerability
When RSASSA-PSS signature verification is enabled, sending a maliciously
constructed certificate chain can be used to cause a buffer overflow on
the peer's stack, potentially leading to crash or remote code execution.
This can be triggered remotely from either side in both TLS and DTLS.

RSASSA-PSS is the part of PKCS #1 v2.1 standard and can be enabled by
the compile time option MBEDTLS_PKCS1_V21 in config.h. If
MBEDTLS_PKCS1_V21 is disabled when compiling the library, then the
vulnerability is not present. RSASSA-PSS signatures are enabled in the
default configuration.

Impact
Depending on the platform, an attack exploiting this vulnerability could
lead to an application crash or remote code execution.

Resolution
Affected users should upgrade to Mbed TLS 1.3.22, Mbed TLS 2.1.10 or
Mbed TLS 2.7.0.

Workaround
Users should wherever possible upgrade to the newer version of Mbed TLS.
Where this is not practical, users should consider if disabling the
option MBEDTLS_PKCS1_V21 in the Mbed TLS configuration is practical for
their application. Disabling RSASSA-PSS signatures in the verification
profile at runtime is not a sufficient countermeasure.



signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: mbedtls
Source-Version: 2.7.0-1

We believe that the bug you reported is fixed in the latest version of
mbedtls, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 890...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Cowgill  (supplier of updated mbedtls package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 14 Feb 2018 09:25:58 +
Source: mbedtls
Binary: libmbedtls-dev libmbedcrypto1 libmbedtls10 libmbedx509-0 libmbedtls-doc
Architecture: source amd64 all
Version: 2.7.0-1
Distribution: experimental
Urgency: medium
Maintainer: James Cowgill 
Changed-By: James Cowgill 
Description:
 libmbedcrypto1 - lightweight crypto and SSL/TLS library - crypto library
 libmbedtls-dev - lightweight crypto and SSL/TLS library - development files
 libmbedtls-doc - lightweight crypto and SSL/TLS library - documentation
 libmbedtls10 - lightweight crypto and SSL/TLS library - tls library
 libmbedx509-0 - lightweight crypto and SSL/TLS library - x509 certificate 
library
Closes: 890287 890288
Changes:
 mbedtls (2.7.0-1) experimental; urgency=medium
 .
   * New upstream release.
 - Fixes CVE-2018-0488. (Closes: #890287)
 - Fixes CVE-2018-0487. (Closes: #890288)
   * Rename libmbedcrypto0 to libmbedcrypto1 due to SONAME bump.
 .
   * debian/compat:
 - Use debhelper compat 11.
   * debian/control:
 - Switch to salsa.debian.org Vcs URLs.
 - Bump standards version to 4.1.3.
 - Drop useless Testsuite field in debian/control.
   * debian/copyright:
 - Update copyright dates.
   * debian/libmbedtls-doc.*:
 - Fix various paths to work with the new documentation location used
   by debhelper 11.
   * debian/patches:
 - Refresh config patch.
   * debian/*.symbols:
 - Add symbols updates for libmbedtls10.
 - Rewrite symbols libmbedcrypto1 symbols file.
Checksums-Sha1:
 a8d1f6702d69006801e97d778983033ec95c3a7d 2163 mbedtls_2.7.0-1.dsc
 01ffebf679c8696cc941c41224fa73d8944d2c85 2108442 mbedtls_2.7.0.orig.tar.gz
 057da4c0aefaeee4495fe54712976a6afe7788de 11332 mbedtls_2.7.0-1.debian.tar.xz
 ca6eebb2f885ad21a9b2510f98a6cc9688db673e 323092

Bug#890288: marked as done (mbedtls: CVE-2018-0487 - Risk of remote code execution when verifying RSASSA-PSS signatures)

Bug#890288: marked as done (mbedtls: CVE-2018-0487 - Risk of remote code execution when verifying RSASSA-PSS signatures)

Bug#890288: marked as done (mbedtls: CVE-2018-0487 - Risk of remote code execution when verifying RSASSA-PSS signatures)

3 matches

Site Navigation

Mail list logo

Footer information