diff options
| author | junovitch <junovitch@FreeBSD.org> | 2015-10-06 10:24:46 +0800 |
|---|---|---|
| committer | junovitch <junovitch@FreeBSD.org> | 2015-10-06 10:24:46 +0800 |
| commit | d104ef0c12ee57da3fbb3416b5366e6f4ad64474 (patch) | |
| tree | 04df71d380512a4f568ea38b2e281301d1288e5e /security | |
| parent | de444f872e7a7c00c4c488d67bc3dd658f0c7cf7 (diff) | |
| download | freebsd-ports-gnome-d104ef0c12ee57da3fbb3416b5366e6f4ad64474.tar.gz freebsd-ports-gnome-d104ef0c12ee57da3fbb3416b5366e6f4ad64474.tar.zst freebsd-ports-gnome-d104ef0c12ee57da3fbb3416b5366e6f4ad64474.zip | |
Document recent mbed TLS/PolarSSL security releases
PR: 203544
Security: 5d280761-6bcf-11e5-9909-002590263bf5
Security: 953aaa57-6bce-11e5-9909-002590263bf5
Diffstat (limited to 'security')
| -rw-r--r-- | security/vuxml/vuln.xml | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index e2a214b0a7c2..e994fcbded64 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -58,6 +58,80 @@ Notes: --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="5d280761-6bcf-11e5-9909-002590263bf5"> + <topic>mbedTLS/PolarSSL -- multiple vulnerabilities</topic> + <affects> + <package> + <name>polarssl</name> + <range><ge>1.2.0</ge><lt>1.2.16</lt></range> + </package> + <package> + <name>polarssl13</name> + <range><ge>1.3.0</ge><lt>1.3.13</lt></range> + </package> + <package> + <name>mbedtls</name> + <range><lt>2.1.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>ARM Limited reports:</p> + <blockquote cite="https://tls.mbed.org/tech-updates/releases/mbedtls-2.1.1-and-1.3.13-and-polarssl-1.2.16-released"> + <p>Florian Weimar from Red Hat published on Lenstra's RSA-CRT attach + for PKCS#1 v1.5 signatures. These releases include countermeasures + against that attack.</p> + <p>Fabian Foerg of Gotham Digital Science found a possible client-side + NULL pointer dereference, using the AFL Fuzzer. This dereference can + only occur when misusing the API, although a fix has still been + implemented.</p> + </blockquote> + </body> + </description> + <references> + <url>https://tls.mbed.org/tech-updates/releases/mbedtls-2.1.1-and-1.3.13-and-polarssl-1.2.16-released</url> + </references> + <dates> + <discovery>2015-09-18</discovery> + <entry>2015-10-06</entry> + </dates> + </vuln> + + <vuln vid="953aaa57-6bce-11e5-9909-002590263bf5"> + <topic>mbedTLS/PolarSSL -- multiple vulnerabilities</topic> + <affects> + <package> + <name>polarssl</name> + <range><ge>1.2.0</ge><lt>1.2.15</lt></range> + </package> + <package> + <name>polarssl13</name> + <range><ge>1.3.0</ge><lt>1.3.12</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>ARM Limited reports:</p> + <blockquote cite="https://tls.mbed.org/tech-updates/releases/polarssl-1.2.15-and-mbedtls-1.3.12-released"> + <p>In order to strengthen the minimum requirements for connections and + to protect against the Logjam attack, the minimum size of + Diffie-Hellman parameters accepted by the client has been increased + to 1024 bits.</p> + <p>In addition the default size for the Diffie-Hellman parameters on + the server are increased to 2048 bits. This can be changed with + ssl_set_dh_params() in case this is necessary.</p> + </blockquote> + </body> + </description> + <references> + <url>https://tls.mbed.org/tech-updates/releases/polarssl-1.2.15-and-mbedtls-1.3.12-released</url> + </references> + <dates> + <discovery>2015-08-11</discovery> + <entry>2015-10-06</entry> + </dates> + </vuln> + <vuln vid="9272a5b0-6b40-11e5-bd7f-bcaec565249c"> <topic>gdk-pixbuf2 -- head overflow and DoS</topic> <affects> |