FS#43508 - [polarssl] Remote attack using crafted certificates CVE-2015-1182

Attached to Project: Community Packages
Opened by Remi Gacogne (rgacogne) - Monday, 19 January 2015, 15:12 GMT
Last edited by Kyle Keen (keenerd) - Tuesday, 20 January 2015, 12:06 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Kyle Keen (keenerd)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

A critical vulnerability has been reported [1] in polarssl >= 1.0, possibly leading to remote code execution. As there has not been an updated release yet (AFAIK), I believe we should backport the one-line fix mentioned in the advisory as soon as possible.

[1] https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-04
This task depends upon

Closed by  Kyle Keen (keenerd)
Tuesday, 20 January 2015, 12:06 GMT
Reason for closing:  Fixed
Additional comments about closing:  polarssl-1.3.9-2
Comment by Levente Polyak (anthraxx) - Monday, 19 January 2015, 15:50 GMT
just in case if it helps you reducing your work on this, i have attached the CVE patch-file form the advisory as well as a patch to your current PKGBUILD (just for convenience)
cheers
Levente
   CVE-2015-1182.patch (0.4 KiB)
   PKGBUILD.patch (0.9 KiB)
Comment by Levente Polyak (anthraxx) - Monday, 19 January 2015, 16:34 GMT
sorry for the noise but i forgot to bump pkgrel and my perfectionism forces me to (re)submit a clean PKGBUILD patch ;P
   PKGBUILD-2.patch (1.1 KiB)
Comment by Kyle Keen (keenerd) - Tuesday, 20 January 2015, 12:05 GMT
Thank you, it is a pleasure to get a bug report as thorough as this.

Loading...