Date: Tue, 6 Oct 2015 02:24:47 +0000 (UTC) From: Jason Unovitch <junovitch@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r398677 - head/security/vuxml Message-ID: <201510060224.t962OlxZ034191@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: junovitch Date: Tue Oct 6 02:24:46 2015 New Revision: 398677 URL: https://svnweb.freebsd.org/changeset/ports/398677 Log: Document recent mbed TLS/PolarSSL security releases PR: 203544 Security: 5d280761-6bcf-11e5-9909-002590263bf5 Security: 953aaa57-6bce-11e5-9909-002590263bf5 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Oct 6 00:52:56 2015 (r398676) +++ head/security/vuxml/vuln.xml Tue Oct 6 02:24:46 2015 (r398677) @@ -58,6 +58,80 @@ Notes: --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="5d280761-6bcf-11e5-9909-002590263bf5"> + <topic>mbedTLS/PolarSSL -- multiple vulnerabilities</topic> + <affects> + <package> + <name>polarssl</name> + <range><ge>1.2.0</ge><lt>1.2.16</lt></range> + </package> + <package> + <name>polarssl13</name> + <range><ge>1.3.0</ge><lt>1.3.13</lt></range> + </package> + <package> + <name>mbedtls</name> + <range><lt>2.1.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>ARM Limited reports:</p> + <blockquote cite="https://tls.mbed.org/tech-updates/releases/mbedtls-2.1.1-and-1.3.13-and-polarssl-1.2.16-released">; + <p>Florian Weimar from Red Hat published on Lenstra's RSA-CRT attach + for PKCS#1 v1.5 signatures. These releases include countermeasures + against that attack.</p> + <p>Fabian Foerg of Gotham Digital Science found a possible client-side + NULL pointer dereference, using the AFL Fuzzer. This dereference can + only occur when misusing the API, although a fix has still been + implemented.</p> + </blockquote> + </body> + </description> + <references> + <url>https://tls.mbed.org/tech-updates/releases/mbedtls-2.1.1-and-1.3.13-and-polarssl-1.2.16-released</url>; + </references> + <dates> + <discovery>2015-09-18</discovery> + <entry>2015-10-06</entry> + </dates> + </vuln> + + <vuln vid="953aaa57-6bce-11e5-9909-002590263bf5"> + <topic>mbedTLS/PolarSSL -- multiple vulnerabilities</topic> + <affects> + <package> + <name>polarssl</name> + <range><ge>1.2.0</ge><lt>1.2.15</lt></range> + </package> + <package> + <name>polarssl13</name> + <range><ge>1.3.0</ge><lt>1.3.12</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>ARM Limited reports:</p> + <blockquote cite="https://tls.mbed.org/tech-updates/releases/polarssl-1.2.15-and-mbedtls-1.3.12-released">; + <p>In order to strengthen the minimum requirements for connections and + to protect against the Logjam attack, the minimum size of + Diffie-Hellman parameters accepted by the client has been increased + to 1024 bits.</p> + <p>In addition the default size for the Diffie-Hellman parameters on + the server are increased to 2048 bits. This can be changed with + ssl_set_dh_params() in case this is necessary.</p> + </blockquote> + </body> + </description> + <references> + <url>https://tls.mbed.org/tech-updates/releases/polarssl-1.2.15-and-mbedtls-1.3.12-released</url>; + </references> + <dates> + <discovery>2015-08-11</discovery> + <entry>2015-10-06</entry> + </dates> + </vuln> + <vuln vid="9272a5b0-6b40-11e5-bd7f-bcaec565249c"> <topic>gdk-pixbuf2 -- head overflow and DoS</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201510060224.t962OlxZ034191>