SUSE Package Hub - openSUSE-2018-186

Update Info

openSUSE-2018-186

Security update for mbedtls

Type: security

Severity: moderate

Issued: 2018-02-20

Description:

This update for mbedtls fixes the following issues:

- CVE-2018-0487: Fixed a buffer overflow in RSASSA-PSS signature
  verification, which allowed remote attackers to execute arbitrary code or
  cause a denial of service via a crafted certificate chain. (boo#1080826)
- CVE-2018-0488: Fixed a heap vulnerability, which allowed remote
  attackers to execute arbitrary code or cause a DoS via a crafted application
  packet when the truncated HMAC extension and CBC are used. (boo#1080828)
- CVE-2017-18187: Fixed bound check in ssl_parse_client_psk_identity(), which
  might lead to an overflow. (boo#1080973)

References

CVE: CVE-2018-0488
CVE: CVE-2018-0487
CVE: CVE-2017-18187
Bugzilla: 1080973 VUL-0: CVE-2017-18187: mbedtls: bounds check bypass through overflow in PSK identity parsing
Bugzilla: 1080828 VUL-0: CVE-2018-0488 mbedtls: Risk of remote code execution when truncated HMAC is enabled
Bugzilla: 1080826 VUL-0: CVE-2018-0487 mbedtls: Risk of remote code execution when verifying RSASSA-PSS signatures

Packages

mbedtls-1.3.19-11.1