Update Info


Security update for mbedtls

Type: security
Severity: important
Issued: 2017-03-22
This update to mbedtls 1.3.19 fixes security issues and bugs.

The following vulnerability was fixed:

CVE-2017-2784: A remote user could have used a specially crafted certificate to cause
               mbedtls to free a buffer allocated on the stack when verifying the validity
               of public key with a secp224k1 curve, which could have allowed remote
               code execution on some platforms (boo#1029017)

The following non-security changes are included:

- Add checks to prevent signature forgeries for very large messages while using RSA through
  the PK module in 64-bit systems.
- Fixed potential livelock during the parsing of a CRL in PEM format



  • mbedtls-1.3.19-5.1