Updated mbedtls and related packages fix security vulnerabilities

2018-03-1023:47:30

Gentoo Foundation

advisories.mageia.org

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.069

Percentile

93.9%

JSON

The mbedtls package has been updated to fix several security issues. Fixed a heap corruption issue in the implementation of the truncated HMAC extension. When the truncated HMAC extension is enabled and CBC is used, sending a malicious application packet could be used to selectively corrupt 6 bytes on the peer’s heap, which could potentially lead to crash or remote code execution. The issue could be triggered remotely from either side in both TLS and DTLS. (CVE-2018-0488) Fixed a buffer overflow in RSA-PSS verification when the hash was too large for the key size, which could potentially lead to crash or remote code execution. (CVE-2018-0487)

OSVersionArchitecturePackageVersionFilename
Mageia6noarchmbedtls< 2.7.0-1mbedtls-2.7.0-1.mga6
Mageia6noarchshadowsocks-libev< 3.1.0-1.1shadowsocks-libev-3.1.0-1.1.mga6
Mageia6noarchbctoolbox< 0.2.0-4.1bctoolbox-0.2.0-4.1.mga6
Mageia6noarchhiawatha< 10.4-1.1hiawatha-10.4-1.1.mga6
Mageia6noarchdolphin-emu< 5.0-5.1dolphin-emu-5.0-5.1.mga6

OS	Version	Architecture	Package	Version	Filename
Mageia	6	noarch	mbedtls	< 2.7.0-1	mbedtls-2.7.0-1.mga6
Mageia	6	noarch	shadowsocks-libev	< 3.1.0-1.1	shadowsocks-libev-3.1.0-1.1.mga6
Mageia	6	noarch	bctoolbox	< 0.2.0-4.1	bctoolbox-0.2.0-4.1.mga6
Mageia	6	noarch	hiawatha	< 10.4-1.1	hiawatha-10.4-1.1.mga6
Mageia	6	noarch	dolphin-emu	< 5.0-5.1	dolphin-emu-5.0-5.1.mga6