Lucene search

Arch LinuxASA-201601-29

HistoryJan 25, 2016 - 12:00 a.m.

mbedtls: man-in-the-middle

2016-01-2500:00:00

Arch Linux

lists.archlinux.org

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

65.7%

JSON

mbedTLS before 2.2.1 is vulnerable to the SLOTH attack, breaking MD5
signatures potentially used during TLS 1.2 handshakes to impersonate a
TLS server.

OSVersionArchitecturePackageVersionFilename
anyanyanymbedtls< 2.2.1-1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
any	any	any	mbedtls	< 2.2.1-1	UNKNOWN

References

www.mitls.org/pages/attacks/SLOTH

access.redhat.com/security/cve/CVE-2015-7575

bugs.archlinux.org/task/47783

tls.mbed.org/tech-updates/releases/mbedtls-2.2.1-2.1.4-1.3.16-and-polarssl.1.2.19-released

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

65.7%

JSON

Related for ASA-201601-29