Search...

Fedora Update for polarssl FEDORA-2015-0991

2015-01-31T00:00:00

ID OPENVAS:1361412562310868964
Type openvas
Reporter Copyright (C) 2015 Greenbone Networks GmbH
Modified 2019-03-15T00:00:00

Description

The remote host is missing an update for the

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
#
# Fedora Update for polarssl FEDORA-2015-0991
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.868964");
  script_version("$Revision: 14223 $");
  script_tag(name:"last_modification", value:"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $");
  script_tag(name:"creation_date", value:"2015-01-31 06:01:55 +0100 (Sat, 31 Jan 2015)");
  script_cve_id("CVE-2015-1182", "CVE-2014-8628", "CVE-2014-4911", "CVE-2013-5915");
  script_tag(name:"cvss_base", value:"7.8");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_name("Fedora Update for polarssl FEDORA-2015-0991");
  script_tag(name:"summary", value:"The remote host is missing an update for the 'polarssl'
  package(s) announced via the referenced advisory.");
  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
  script_tag(name:"affected", value:"polarssl on Fedora 20");
  script_tag(name:"solution", value:"Please install the updated package(s).");
  script_xref(name:"FEDORA", value:"2015-0991");
  script_xref(name:"URL", value:"https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148829.html");
  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"qod_type", value:"package");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2015 Greenbone Networks GmbH");
  script_family("Fedora Local Security Checks");
  script_dependencies("gather-package-list.nasl");
  script_mandatory_keys("ssh/login/fedora", "ssh/login/rpms", re:"ssh/login/release=FC20");

  exit(0);
}

include("revisions-lib.inc");
include("pkg-lib-rpm.inc");

release = rpm_get_ssh_release();
if(!release)
  exit(0);

res = "";

if(release == "FC20")
{

  if ((res = isrpmvuln(pkg:"polarssl", rpm:"polarssl~1.2.12~3.fc20", rls:"FC20")) != NULL)
  {
    security_message(data:res);
    exit(0);
  }

  if (__pkg_match) exit(99);
  exit(0);
}

JSON Vulners Source

Initial Source

{"id": "OPENVAS:1361412562310868964", "type": "openvas", "bulletinFamily": "scanner", "title": "Fedora Update for polarssl FEDORA-2015-0991", "description": "The remote host is missing an update for the ", "published": "2015-01-31T00:00:00", "modified": "2019-03-15T00:00:00", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868964", "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "references": ["https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148829.html", "2015-0991"], "cvelist": ["CVE-2015-1182", "CVE-2014-8628", "CVE-2013-5915", "CVE-2014-4911"], "lastseen": "2019-05-29T18:36:09", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-8628", "CVE-2014-4911", "CVE-2015-0991", "CVE-2015-1182", "CVE-2013-5915"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310868013", "OPENVAS:1361412562310867910", "OPENVAS:1361412562310867902", "OPENVAS:1361412562310703116", "OPENVAS:1361412562310866980", "OPENVAS:703116", "OPENVAS:1361412562310868042", "OPENVAS:866980", "OPENVAS:1361412562310868515", "OPENVAS:1361412562310868511"]}, {"type": "nessus", "idList": ["FEDORA_2013-18251.NASL", "DEBIAN_DLA-36.NASL", "DEBIAN_DLA-129.NASL", "DEBIAN_DSA-3116.NASL", "FEDORA_2014-7263.NASL", "FEDORA_2014-7261.NASL", "DEBIAN_DSA-2981.NASL", "FREEBSD_PKG_CCEFAC3E2AED11E3AF10000C29789CB5.NASL", "FEDORA_2013-18216.NASL", "FEDORA_2013-18228.NASL"]}, {"type": "freebsd", "idList": ["CCEFAC3E-2AED-11E3-AF10-000C29789CB5", "A5856EBA-A015-11E4-A680-1C6F65C3C4FF"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31581", "SECURITYVULNS:DOC:29976", "SECURITYVULNS:VULN:13880", "SECURITYVULNS:VULN:14188", "SECURITYVULNS:VULN:13381", "SECURITYVULNS:DOC:30941"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2981-1:B676B", "DEBIAN:DLA-129-1:D0542", "DEBIAN:DLA-36-1:970BC", "DEBIAN:DLA-144-1:50BA1", "DEBIAN:DSA-3136-1:5CEF5", "DEBIAN:DSA-3116-1:DEFBB", "DEBIAN:DSA-2782-1:1D605"]}, {"type": "archlinux", "idList": ["ASA-201501-13", "ASA-201411-4"]}, {"type": "gentoo", "idList": ["GLSA-201310-10", "GLSA-201801-15"]}, {"type": "redhat", "idList": ["RHSA-2015:0991"]}, {"type": "oraclelinux", "idList": ["ELSA-2015-0991"]}], "modified": "2019-05-29T18:36:09", "rev": 2}, "score": {"value": 6.6, "vector": "NONE", "modified": "2019-05-29T18:36:09", "rev": 2}, "vulnersScore": 6.6}, "pluginID": "1361412562310868964", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for polarssl FEDORA-2015-0991\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868964\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-01-31 06:01:55 +0100 (Sat, 31 Jan 2015)\");\n script_cve_id(\"CVE-2015-1182\", \"CVE-2014-8628\", \"CVE-2014-4911\", \"CVE-2013-5915\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_name(\"Fedora Update for polarssl FEDORA-2015-0991\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'polarssl'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"polarssl on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-0991\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148829.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"polarssl\", rpm:\"polarssl~1.2.12~3.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "naslFamily": "Fedora Local Security Checks"}

{"cve": [{"lastseen": "2020-11-29T23:17:27", "description": "The RSA-CRT implementation in PolarSSL before 1.2.9 does not properly perform Montgomery multiplication, which might allow remote attackers to conduct a timing side-channel attack and retrieve RSA private keys.", "edition": 4, "cvss3": {}, "published": "2013-10-04T17:55:00", "title": "CVE-2013-5915", "type": "cve", "cwe": ["CWE-310"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-5915"], "modified": "2013-10-31T03:35:00", "cpe": ["cpe:/a:polarssl:polarssl:0.11.0", "cpe:/a:polarssl:polarssl:0.13.1", "cpe:/a:polarssl:polarssl:0.14.2", "cpe:/a:polarssl:polarssl:1.1.3", "cpe:/a:polarssl:polarssl:1.2.1", "cpe:/a:polarssl:polarssl:1.0.0", "cpe:/a:polarssl:polarssl:1.2.6", "cpe:/a:polarssl:polarssl:1.1.0", "cpe:/a:polarssl:polarssl:0.14.3", "cpe:/a:polarssl:polarssl:1.2.0", "cpe:/a:polarssl:polarssl:0.11.1", "cpe:/a:polarssl:polarssl:1.1.6", "cpe:/a:polarssl:polarssl:0.14.0", "cpe:/a:polarssl:polarssl:1.1.5", "cpe:/a:polarssl:polarssl:0.99", "cpe:/a:polarssl:polarssl:1.1.4", "cpe:/a:polarssl:polarssl:0.12.0", "cpe:/a:polarssl:polarssl:0.12.1", "cpe:/a:polarssl:polarssl:1.2.4", "cpe:/a:polarssl:polarssl:1.1.8", "cpe:/a:polarssl:polarssl:1.2.2", "cpe:/a:polarssl:polarssl:1.1.2", "cpe:/a:polarssl:polarssl:1.2.3", "cpe:/a:polarssl:polarssl:1.2.7", "cpe:/a:polarssl:polarssl:0.10.0", "cpe:/a:polarssl:polarssl:1.1.1", "cpe:/a:polarssl:polarssl:0.10.1", "cpe:/a:polarssl:polarssl:1.2.5", "cpe:/a:polarssl:polarssl:1.2.8"], "id": "CVE-2013-5915", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5915", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:polarssl:polarssl:0.12.0:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.13.1:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.10.0:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.10.1:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.99:pre4:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.0:rc0:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.11.1:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.14.3:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.11.0:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.99:pre1:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.14.2:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.99:pre3:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.12.1:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.99:pre5:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.14.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-11-29T23:22:01", "description": "Memory leak in PolarSSL before 1.2.12 and 1.3.x before 1.3.9 allows remote attackers to cause a denial of service (memory consumption) via a large number of crafted X.509 certificates. NOTE: this identifier has been SPLIT per ADT3 due to different affected versions. See CVE-2014-9744 for the ClientHello message issue.", "edition": 4, "cvss3": {}, "published": "2015-08-24T15:59:00", "title": "CVE-2014-8628", "type": "cve", "cwe": ["CWE-399"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8628"], "modified": "2017-11-04T01:29:00", "cpe": ["cpe:/a:polarssl:polarssl:1.3.7", "cpe:/a:polarssl:polarssl:1.3.5", "cpe:/a:polarssl:polarssl:1.2.11", "cpe:/a:polarssl:polarssl:1.3.2", "cpe:/a:polarssl:polarssl:1.3.6", "cpe:/a:polarssl:polarssl:1.3.0", "cpe:/a:polarssl:polarssl:1.3.8", "cpe:/a:polarssl:polarssl:1.3.3", "cpe:/a:polarssl:polarssl:1.3.1", "cpe:/a:polarssl:polarssl:1.3.4"], "id": "CVE-2014-8628", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8628", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:a:polarssl:polarssl:1.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.11:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.8:*:*:*:*:*:*:*"]}, {"lastseen": "2020-11-29T23:21:58", "description": "The ssl_decrypt_buf function in library/ssl_tls.c in PolarSSL before 1.2.11 and 1.3.x before 1.3.8 allows remote attackers to cause a denial of service (crash) via vectors related to the GCM ciphersuites, as demonstrated using the Codenomicon Defensics toolkit.", "edition": 4, "cvss3": {}, "published": "2014-07-22T14:55:00", "title": "CVE-2014-4911", "type": "cve", "cwe": ["CWE-310"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-4911"], "modified": "2015-12-04T16:21:00", "cpe": ["cpe:/a:polarssl:polarssl:1.3.7", "cpe:/o:debian:debian_linux:6.0", "cpe:/a:polarssl:polarssl:1.3.5", "cpe:/a:polarssl:polarssl:1.3.2", "cpe:/a:polarssl:polarssl:1.2.1", "cpe:/a:polarssl:polarssl:1.2.6", "cpe:/o:debian:debian_linux:8.0", "cpe:/a:polarssl:polarssl:1.2.0", "cpe:/a:polarssl:polarssl:1.3.6", "cpe:/a:polarssl:polarssl:1.2.10", "cpe:/a:polarssl:polarssl:1.3.0", "cpe:/a:polarssl:polarssl:1.2.4", "cpe:/a:polarssl:polarssl:1.3.3", "cpe:/a:polarssl:polarssl:1.3.1", "cpe:/a:polarssl:polarssl:1.2.2", "cpe:/a:polarssl:polarssl:1.2.3", "cpe:/a:polarssl:polarssl:1.2.7", "cpe:/o:debian:debian_linux:7.0", "cpe:/a:polarssl:polarssl:1.2.5", "cpe:/a:polarssl:polarssl:1.3.4", "cpe:/a:polarssl:polarssl:1.2.9", "cpe:/a:polarssl:polarssl:1.2.8"], "id": "CVE-2014-4911", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4911", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:polarssl:polarssl:1.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.3:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.10:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.9:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.0:alpha1:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.7:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.0:rc0:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:49:48", "description": "The asn1_get_sequence_of function in library/asn1parse.c in PolarSSL 1.0 through 1.2.12 and 1.3.x through 1.3.9 does not properly initialize a pointer in the asn1_sequence linked list, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ASN.1 sequence in a certificate.\n<a href=\"http://cwe.mitre.org/data/definitions/824.html\">CWE-824: Access of Uninitialized Pointer</a>", "edition": 3, "cvss3": {}, "published": "2015-01-27T20:59:00", "title": "CVE-2015-1182", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1182"], "modified": "2018-10-30T16:27:00", "cpe": ["cpe:/a:polarssl:polarssl:1.3.7", "cpe:/a:polarssl:polarssl:1.3.5", "cpe:/a:polarssl:polarssl:1.2.11", "cpe:/a:polarssl:polarssl:1.1.3", "cpe:/a:polarssl:polarssl:1.3.2", "cpe:/a:polarssl:polarssl:1.2.1", "cpe:/a:polarssl:polarssl:1.0.0", "cpe:/a:polarssl:polarssl:1.2.6", "cpe:/a:polarssl:polarssl:1.1.0", "cpe:/a:polarssl:polarssl:1.2.0", "cpe:/a:polarssl:polarssl:1.3.6", "cpe:/a:polarssl:polarssl:1.2.10", "cpe:/a:polarssl:polarssl:1.1.6", "cpe:/a:polarssl:polarssl:1.3.0", "cpe:/a:polarssl:polarssl:1.3.8", "cpe:/a:polarssl:polarssl:1.2.12", "cpe:/a:polarssl:polarssl:1.1.5", "cpe:/o:opensuse:opensuse:13.2", "cpe:/a:polarssl:polarssl:1.1.4", "cpe:/a:polarssl:polarssl:1.2.4", "cpe:/a:polarssl:polarssl:1.1.8", "cpe:/a:polarssl:polarssl:1.1.7", "cpe:/a:polarssl:polarssl:1.3.3", "cpe:/a:polarssl:polarssl:1.3.1", "cpe:/a:polarssl:polarssl:1.2.2", "cpe:/a:polarssl:polarssl:1.1.2", "cpe:/a:polarssl:polarssl:1.2.3", "cpe:/a:polarssl:polarssl:1.2.7", "cpe:/a:polarssl:polarssl:1.1.1", "cpe:/a:polarssl:polarssl:1.2.5", "cpe:/a:polarssl:polarssl:1.3.4", "cpe:/a:polarssl:polarssl:1.2.9", "cpe:/a:polarssl:polarssl:1.2.8", "cpe:/a:polarssl:polarssl:1.3.9"], "id": "CVE-2015-1182", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1182", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:polarssl:polarssl:1.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.10:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.9:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.0:alpha1:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.0:rc0:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.12:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.11:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.9:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.0:rc0:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.3.8:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2019-05-29T18:37:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-8628", "CVE-2013-5915", "CVE-2014-8627", "CVE-2014-4911"], "description": "Check the version of polarssl", "modified": "2019-03-15T00:00:00", "published": "2014-11-23T00:00:00", "id": "OPENVAS:1361412562310868511", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868511", "type": "openvas", "title": "Fedora Update for polarssl FEDORA-2014-14912", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for polarssl FEDORA-2014-14912\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868511\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-11-23 06:45:02 +0100 (Sun, 23 Nov 2014)\");\n script_cve_id(\"CVE-2014-8628\", \"CVE-2014-4911\", \"CVE-2013-5915\", \"CVE-2014-8627\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_name(\"Fedora Update for polarssl FEDORA-2014-14912\");\n script_tag(name:\"summary\", value:\"Check the version of polarssl\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"polarssl on Fedora 19\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-14912\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-November/144811.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC19\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"polarssl\", rpm:\"polarssl~1.2.12~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:37:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-8628", "CVE-2013-5915", "CVE-2014-8627", "CVE-2014-4911"], "description": "Check the version of polarssl", "modified": "2019-03-15T00:00:00", "published": "2014-11-23T00:00:00", "id": "OPENVAS:1361412562310868515", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868515", "type": "openvas", "title": "Fedora Update for polarssl FEDORA-2014-14898", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for polarssl FEDORA-2014-14898\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868515\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-11-23 06:45:17 +0100 (Sun, 23 Nov 2014)\");\n script_cve_id(\"CVE-2014-8628\", \"CVE-2014-4911\", \"CVE-2013-5915\", \"CVE-2014-8627\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_name(\"Fedora Update for polarssl FEDORA-2014-14898\");\n script_tag(name:\"summary\", value:\"Check the version of polarssl\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"polarssl on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-14898\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-November/144832.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"polarssl\", rpm:\"polarssl~1.2.12~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:37:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5915", "CVE-2014-4911"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-07-28T00:00:00", "id": "OPENVAS:1361412562310868013", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868013", "type": "openvas", "title": "Fedora Update for polarssl FEDORA-2014-8310", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for polarssl FEDORA-2014-8310\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868013\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-07-28 16:13:57 +0530 (Mon, 28 Jul 2014)\");\n script_cve_id(\"CVE-2014-4911\", \"CVE-2013-5915\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"Fedora Update for polarssl FEDORA-2014-8310\");\n script_tag(name:\"affected\", value:\"polarssl on Fedora 19\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-8310\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135646.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'polarssl'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC19\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"polarssl\", rpm:\"polarssl~1.2.11~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:37:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5915", "CVE-2014-4911"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-07-28T00:00:00", "id": "OPENVAS:1361412562310868042", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868042", "type": "openvas", "title": "Fedora Update for polarssl FEDORA-2014-8316", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for polarssl FEDORA-2014-8316\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868042\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-07-28 16:28:13 +0530 (Mon, 28 Jul 2014)\");\n script_cve_id(\"CVE-2014-4911\", \"CVE-2013-5915\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"Fedora Update for polarssl FEDORA-2014-8316\");\n script_tag(name:\"affected\", value:\"polarssl on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-8316\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135644.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'polarssl'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"polarssl\", rpm:\"polarssl~1.2.11~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:37:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5915"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-06-23T00:00:00", "id": "OPENVAS:1361412562310867910", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867910", "type": "openvas", "title": "Fedora Update for polarssl FEDORA-2014-7263", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for polarssl FEDORA-2014-7263\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867910\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-06-23 13:29:59 +0530 (Mon, 23 Jun 2014)\");\n script_cve_id(\"CVE-2013-5915\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_name(\"Fedora Update for polarssl FEDORA-2014-7263\");\n script_tag(name:\"affected\", value:\"polarssl on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-7263\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134551.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'polarssl'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"polarssl\", rpm:\"polarssl~1.2.10~2.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:38:29", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5915"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-10-15T00:00:00", "id": "OPENVAS:1361412562310866980", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310866980", "type": "openvas", "title": "Fedora Update for polarssl FEDORA-2013-18228", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for polarssl FEDORA-2013-18228\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.866980\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-10-15 13:00:02 +0530 (Tue, 15 Oct 2013)\");\n script_cve_id(\"CVE-2013-5915\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_name(\"Fedora Update for polarssl FEDORA-2013-18228\");\n\n\n script_tag(name:\"affected\", value:\"polarssl on Fedora 19\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2013-18228\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119014.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'polarssl'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC19\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"polarssl\", rpm:\"polarssl~1.2.9~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2018-01-18T11:09:40", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5915"], "description": "Check for the Version of polarssl", "modified": "2018-01-17T00:00:00", "published": "2013-10-15T00:00:00", "id": "OPENVAS:866980", "href": "http://plugins.openvas.org/nasl.php?oid=866980", "type": "openvas", "title": "Fedora Update for polarssl FEDORA-2013-18228", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for polarssl FEDORA-2013-18228\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(866980);\n script_version(\"$Revision: 8448 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-17 17:18:06 +0100 (Wed, 17 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-10-15 13:00:02 +0530 (Tue, 15 Oct 2013)\");\n script_cve_id(\"CVE-2013-5915\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_name(\"Fedora Update for polarssl FEDORA-2013-18228\");\n\n tag_insight = \"PolarSSL is a light-weight open source cryptographic and SSL/TLS\nlibrary written in C. PolarSSL makes it easy for developers to include\ncryptographic and SSL/TLS capabilities in their (embedded)\napplications with as little hassle as possible.\n\";\n\n tag_affected = \"polarssl on Fedora 19\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2013-18228\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119014.html\");\n script_tag(name: \"summary\" , value: \"Check for the Version of polarssl\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"polarssl\", rpm:\"polarssl~1.2.9~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-05-29T18:37:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5915"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-06-23T00:00:00", "id": "OPENVAS:1361412562310867902", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867902", "type": "openvas", "title": "Fedora Update for polarssl FEDORA-2014-7261", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for polarssl FEDORA-2014-7261\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867902\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-06-23 10:37:35 +0530 (Mon, 23 Jun 2014)\");\n script_cve_id(\"CVE-2013-5915\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_name(\"Fedora Update for polarssl FEDORA-2014-7261\");\n script_tag(name:\"affected\", value:\"polarssl on Fedora 19\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-7261\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134559.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'polarssl'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC19\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"polarssl\", rpm:\"polarssl~1.2.10~2.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2018-03-20T16:43:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-8628"], "description": "It was discovered that a memory leak\nin parsing X.509 certificates may result in denial of service.", "modified": "2018-03-19T00:00:00", "published": "2014-12-30T00:00:00", "id": "OPENVAS:703116", "href": "http://plugins.openvas.org/nasl.php?oid=703116", "type": "openvas", "title": "Debian Security Advisory DSA 3116-1 (polarssl - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3116.nasl 9136 2018-03-19 13:08:02Z cfischer $\n# Auto-generated from advisory DSA 3116-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703116);\n script_version(\"$Revision: 9136 $\");\n script_cve_id(\"CVE-2014-8628\");\n script_name(\"Debian Security Advisory DSA 3116-1 (polarssl - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2018-03-19 14:08:02 +0100 (Mon, 19 Mar 2018) $\");\n script_tag(name: \"creation_date\", value: \"2014-12-30 00:00:00 +0100 (Tue, 30 Dec 2014)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2014/dsa-3116.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"polarssl on Debian Linux\");\n script_tag(name: \"insight\", value: \"PolarSSL is a fork of the abandoned\nproject XySSL. It is a lean crypto library providing SSL and TLS support in your\nprograms.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (wheezy),\nthis problem has been fixed in version 1.2.9-1~deb7u4.\n\nFor the upcoming stable distribution (jessie), this problem has been\nfixed in version 1.3.9-1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.3.9-1.\n\nWe recommend that you upgrade your polarssl packages.\");\n script_tag(name: \"summary\", value: \"It was discovered that a memory leak\nin parsing X.509 certificates may result in denial of service.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libpolarssl-dev\", ver:\"1.2.9-1~deb7u4\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpolarssl-runtime\", ver:\"1.2.9-1~deb7u4\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpolarssl0\", ver:\"1.2.9-1~deb7u4\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:37:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-8628"], "description": "It was discovered that a memory leak\nin parsing X.509 certificates may result in denial of service.", "modified": "2019-03-18T00:00:00", "published": "2014-12-30T00:00:00", "id": "OPENVAS:1361412562310703116", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703116", "type": "openvas", "title": "Debian Security Advisory DSA 3116-1 (polarssl - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3116.nasl 14277 2019-03-18 14:45:38Z cfischer $\n# Auto-generated from advisory DSA 3116-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703116\");\n script_version(\"$Revision: 14277 $\");\n script_cve_id(\"CVE-2014-8628\");\n script_name(\"Debian Security Advisory DSA 3116-1 (polarssl - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:45:38 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-12-30 00:00:00 +0100 (Tue, 30 Dec 2014)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2014/dsa-3116.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"polarssl on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (wheezy),\nthis problem has been fixed in version 1.2.9-1~deb7u4.\n\nFor the upcoming stable distribution (jessie), this problem has been\nfixed in version 1.3.9-1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.3.9-1.\n\nWe recommend that you upgrade your polarssl packages.\");\n script_tag(name:\"summary\", value:\"It was discovered that a memory leak\nin parsing X.509 certificates may result in denial of service.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software\nversion using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"libpolarssl-dev\", ver:\"1.2.9-1~deb7u4\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libpolarssl-runtime\", ver:\"1.2.9-1~deb7u4\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libpolarssl0\", ver:\"1.2.9-1~deb7u4\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "nessus": [{"lastseen": "2020-03-17T23:22:29", "description": "Bugfix release fixing CVE-2013-5915,\nhttps://polarssl.org/tech-updates/releases/polarssl-1.2.9-released\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 13, "published": "2013-10-11T00:00:00", "title": "Fedora 20 : polarssl-1.2.9-1.fc20 (2013-18216)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5915"], "modified": "2013-10-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:polarssl", "cpe:/o:fedoraproject:fedora:20"], "id": "FEDORA_2013-18216.NASL", "href": "https://www.tenable.com/plugins/nessus/70377", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-18216.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70377);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");\n\n script_cve_id(\"CVE-2013-5915\");\n script_bugtraq_id(62771);\n script_xref(name:\"FEDORA\", value:\"2013-18216\");\n\n script_name(english:\"Fedora 20 : polarssl-1.2.9-1.fc20 (2013-18216)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Bugfix release fixing CVE-2013-5915,\nhttps://polarssl.org/tech-updates/releases/polarssl-1.2.9-released\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-October/118758.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1c97778e\"\n );\n # https://polarssl.org/tech-updates/releases/polarssl-1.2.9-released\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://tls.mbed.org/tech-updates/releases/polarssl-1.2.9-released\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected polarssl package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:polarssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"polarssl-1.2.9-1.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"polarssl\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-09-24T07:13:57", "description": "PolarSSL Project reports :\n\nThe researchers Cyril Arnaud and Pierre-Alain Fouque investigated the\nPolarSSL RSA implementation and discovered a bias in the\nimplementation of the Montgomery multiplication that we used. For\nwhich they then show that it can be used to mount an attack on the RSA\nkey. Although their test attack is done on a local system, there seems\nto be enough indication that this can properly be performed from a\nremote system as well.\n\nAll versions prior to PolarSSL 1.2.9 and 1.3.0 are affected if a third\nparty can send arbitrary handshake messages to your server.\n\nIf correctly executed, this attack reveals the entire private RSA key\nafter a large number of attack messages (> 600.000 on a local machine)\nare sent to show the timing differences.", "edition": 21, "published": "2013-10-02T00:00:00", "title": "FreeBSD : polarssl -- Timing attack against protected RSA-CRT implementation (ccefac3e-2aed-11e3-af10-000c29789cb5)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5915"], "modified": "2013-10-02T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:polarssl"], "id": "FREEBSD_PKG_CCEFAC3E2AED11E3AF10000C29789CB5.NASL", "href": "https://www.tenable.com/plugins/nessus/70264", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70264);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/23\");\n\n script_cve_id(\"CVE-2013-5915\");\n\n script_name(english:\"FreeBSD : polarssl -- Timing attack against protected RSA-CRT implementation (ccefac3e-2aed-11e3-af10-000c29789cb5)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"PolarSSL Project reports :\n\nThe researchers Cyril Arnaud and Pierre-Alain Fouque investigated the\nPolarSSL RSA implementation and discovered a bias in the\nimplementation of the Montgomery multiplication that we used. For\nwhich they then show that it can be used to mount an attack on the RSA\nkey. Although their test attack is done on a local system, there seems\nto be enough indication that this can properly be performed from a\nremote system as well.\n\nAll versions prior to PolarSSL 1.2.9 and 1.3.0 are affected if a third\nparty can send arbitrary handshake messages to your server.\n\nIf correctly executed, this attack reveals the entire private RSA key\nafter a large number of attack messages (> 600.000 on a local machine)\nare sent to show the timing differences.\"\n );\n # https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-05\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?37fce654\"\n );\n # https://polarssl.org/tech-updates/releases/polarssl-1.2.9-released\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://tls.mbed.org/tech-updates/releases/polarssl-1.2.9-released\"\n );\n # https://vuxml.freebsd.org/freebsd/ccefac3e-2aed-11e3-af10-000c29789cb5.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f3f3dc6b\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:polarssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/10/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"polarssl<1.2.9\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-03-17T23:22:49", "description": " - Update to 1.2.10\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 12, "published": "2014-06-20T00:00:00", "title": "Fedora 20 : polarssl-1.2.10-2.fc20 (2014-7263)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5915"], "modified": "2014-06-20T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:polarssl", "cpe:/o:fedoraproject:fedora:20"], "id": "FEDORA_2014-7263.NASL", "href": "https://www.tenable.com/plugins/nessus/76153", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-7263.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76153);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");\n\n script_cve_id(\"CVE-2013-5915\");\n script_bugtraq_id(62771);\n script_xref(name:\"FEDORA\", value:\"2014-7263\");\n\n script_name(english:\"Fedora 20 : polarssl-1.2.10-2.fc20 (2014-7263)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Update to 1.2.10\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1015946\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134551.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3052953c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected polarssl package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:polarssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2020 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"polarssl-1.2.10-2.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"polarssl\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-03-17T23:22:29", "description": "Bugfix release fixing CVE-2013-5915,\nhttps://polarssl.org/tech-updates/releases/polarssl-1.2.9-released\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 13, "published": "2013-10-15T00:00:00", "title": "Fedora 18 : polarssl-1.2.9-1.fc18 (2013-18251)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5915"], "modified": "2013-10-15T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:18", "p-cpe:/a:fedoraproject:fedora:polarssl"], "id": "FEDORA_2013-18251.NASL", "href": "https://www.tenable.com/plugins/nessus/70420", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-18251.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70420);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");\n\n script_cve_id(\"CVE-2013-5915\");\n script_bugtraq_id(62771);\n script_xref(name:\"FEDORA\", value:\"2013-18251\");\n\n script_name(english:\"Fedora 18 : polarssl-1.2.9-1.fc18 (2013-18251)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Bugfix release fixing CVE-2013-5915,\nhttps://polarssl.org/tech-updates/releases/polarssl-1.2.9-released\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119018.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?89d693a5\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119139.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?40093699\"\n );\n # https://polarssl.org/tech-updates/releases/polarssl-1.2.9-released\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://tls.mbed.org/tech-updates/releases/polarssl-1.2.9-released\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected polarssl package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:polarssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:18\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^18([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 18.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC18\", reference:\"polarssl-1.2.9-1.fc18\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"polarssl\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-03-17T23:22:50", "description": " - Update to 1.2.10\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 12, "published": "2014-06-20T00:00:00", "title": "Fedora 19 : polarssl-1.2.10-2.fc19 (2014-7261)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5915"], "modified": "2014-06-20T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:19", "p-cpe:/a:fedoraproject:fedora:polarssl"], "id": "FEDORA_2014-7261.NASL", "href": "https://www.tenable.com/plugins/nessus/76152", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-7261.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76152);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");\n\n script_cve_id(\"CVE-2013-5915\");\n script_bugtraq_id(62771);\n script_xref(name:\"FEDORA\", value:\"2014-7261\");\n\n script_name(english:\"Fedora 19 : polarssl-1.2.10-2.fc19 (2014-7261)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Update to 1.2.10\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1015946\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134559.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7b76df5b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected polarssl package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:polarssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2020 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"polarssl-1.2.10-2.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"polarssl\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-03-17T23:22:29", "description": "Bugfix release fixing CVE-2013-5915,\nhttps://polarssl.org/tech-updates/releases/polarssl-1.2.9-released\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 13, "published": "2013-10-15T00:00:00", "title": "Fedora 19 : polarssl-1.2.9-1.fc19 (2013-18228)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5915"], "modified": "2013-10-15T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:19", "p-cpe:/a:fedoraproject:fedora:polarssl"], "id": "FEDORA_2013-18228.NASL", "href": "https://www.tenable.com/plugins/nessus/70419", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-18228.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70419);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");\n\n script_cve_id(\"CVE-2013-5915\");\n script_bugtraq_id(62771);\n script_xref(name:\"FEDORA\", value:\"2013-18228\");\n\n script_name(english:\"Fedora 19 : polarssl-1.2.9-1.fc19 (2013-18228)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Bugfix release fixing CVE-2013-5915,\nhttps://polarssl.org/tech-updates/releases/polarssl-1.2.9-released\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119014.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?04f83002\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119084.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b3bf2cf5\"\n );\n # https://polarssl.org/tech-updates/releases/polarssl-1.2.9-released\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://tls.mbed.org/tech-updates/releases/polarssl-1.2.9-released\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected polarssl package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:polarssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"polarssl-1.2.9-1.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"polarssl\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-03-17T22:55:09", "description": "It was discovered that a memory leak in parsing X.509 certificates may\nresult in denial of service.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 13, "published": "2015-03-26T00:00:00", "title": "Debian DLA-129-1 : polarssl security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-8628"], "modified": "2015-03-26T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "p-cpe:/a:debian:debian_linux:libpolarssl0", "p-cpe:/a:debian:debian_linux:libpolarssl-dev", "p-cpe:/a:debian:debian_linux:libpolarssl-runtime"], "id": "DEBIAN_DLA-129.NASL", "href": "https://www.tenable.com/plugins/nessus/82112", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-129-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82112);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");\n\n script_cve_id(\"CVE-2014-8628\");\n script_bugtraq_id(70905);\n\n script_name(english:\"Debian DLA-129-1 : polarssl security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that a memory leak in parsing X.509 certificates may\nresult in denial of service.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2015/01/msg00001.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze-lts/polarssl\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpolarssl-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpolarssl-runtime\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpolarssl0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"libpolarssl-dev\", reference:\"1.2.9-1~deb6u3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libpolarssl-runtime\", reference:\"1.2.9-1~deb6u3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libpolarssl0\", reference:\"1.2.9-1~deb6u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-03-17T23:00:40", "description": "It was discovered that a memory leak in parsing X.509 certificates may\nresult in denial of service.", "edition": 14, "published": "2015-01-02T00:00:00", "title": "Debian DSA-3116-1 : polarssl - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-8628"], "modified": "2015-01-02T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:polarssl", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DSA-3116.NASL", "href": "https://www.tenable.com/plugins/nessus/80307", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3116. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(80307);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");\n\n script_cve_id(\"CVE-2014-8628\");\n script_bugtraq_id(70905);\n script_xref(name:\"DSA\", value:\"3116\");\n\n script_name(english:\"Debian DSA-3116-1 : polarssl - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that a memory leak in parsing X.509 certificates may\nresult in denial of service.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/polarssl\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2014/dsa-3116\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the polarssl packages.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 1.2.9-1~deb7u4.\n\nFor the upcoming stable distribution (jessie), this problem has been\nfixed in version 1.3.9-1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:polarssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/12/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"libpolarssl-dev\", reference:\"1.2.9-1~deb7u4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libpolarssl-runtime\", reference:\"1.2.9-1~deb7u4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libpolarssl0\", reference:\"1.2.9-1~deb7u4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-03-17T23:00:37", "description": "A flaw was discovered in PolarSSL, a lightweight crypto and SSL/TLS\nlibrary, which can be exploited by a remote unauthenticated attacker\nto mount a denial of service against PolarSSL servers that offer GCM\nciphersuites. Potentially clients are affected too if a malicious\nserver decides to execute the denial of service attack against its\nclients.", "edition": 13, "published": "2014-07-20T00:00:00", "title": "Debian DSA-2981-1 : polarssl - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-4911"], "modified": "2014-07-20T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:polarssl", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DSA-2981.NASL", "href": "https://www.tenable.com/plugins/nessus/76599", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2981. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76599);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");\n\n script_cve_id(\"CVE-2014-4911\");\n script_xref(name:\"DSA\", value:\"2981\");\n\n script_name(english:\"Debian DSA-2981-1 : polarssl - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A flaw was discovered in PolarSSL, a lightweight crypto and SSL/TLS\nlibrary, which can be exploited by a remote unauthenticated attacker\nto mount a denial of service against PolarSSL servers that offer GCM\nciphersuites. Potentially clients are affected too if a malicious\nserver decides to execute the denial of service attack against its\nclients.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754655\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/polarssl\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2014/dsa-2981\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the polarssl packages.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 1.2.9-1~deb7u3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:polarssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"libpolarssl-dev\", reference:\"1.2.9-1~deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libpolarssl-runtime\", reference:\"1.2.9-1~deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libpolarssl0\", reference:\"1.2.9-1~deb7u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-03-17T22:59:03", "description": "Denial of Service against GCM enabled servers (and clients).\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 12, "published": "2015-03-26T00:00:00", "title": "Debian DLA-36-1 : polarssl security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-4911"], "modified": "2015-03-26T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "p-cpe:/a:debian:debian_linux:libpolarssl0", "p-cpe:/a:debian:debian_linux:libpolarssl-dev", "p-cpe:/a:debian:debian_linux:libpolarssl-runtime"], "id": "DEBIAN_DLA-36.NASL", "href": "https://www.tenable.com/plugins/nessus/82184", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-36-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82184);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");\n\n script_cve_id(\"CVE-2014-4911\");\n script_bugtraq_id(68748);\n\n script_name(english:\"Debian DLA-36-1 : polarssl security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Denial of Service against GCM enabled servers (and clients).\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2014/08/msg00010.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze-lts/polarssl\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpolarssl-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpolarssl-runtime\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpolarssl0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/08/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"libpolarssl-dev\", reference:\"1.2.9-1~deb6u2\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libpolarssl-runtime\", reference:\"1.2.9-1~deb6u2\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libpolarssl0\", reference:\"1.2.9-1~deb6u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:33", "bulletinFamily": "unix", "cvelist": ["CVE-2013-5915"], "description": "\nPolarSSL Project reports:\n\nThe researchers Cyril Arnaud and Pierre-Alain Fouque\n\t investigated the PolarSSL RSA implementation and discovered\n\t a bias in the implementation of the Montgomery multiplication\n\t that we used. For which they then show that it can be used to\n\t mount an attack on the RSA key. Although their test attack is\n\t done on a local system, there seems to be enough indication\n\t that this can properly be performed from a remote system as\n\t well.\nAll versions prior to PolarSSL 1.2.9 and 1.3.0 are affected\n\t if a third party can send arbitrary handshake messages to your\n\t server.\nIf correctly executed, this attack reveals the entire private\n\t RSA key after a large number of attack messages (> 600.000 on\n\t a local machine) are sent to show the timing differences.\n\n", "edition": 4, "modified": "2013-10-01T00:00:00", "published": "2013-10-01T00:00:00", "id": "CCEFAC3E-2AED-11E3-AF10-000C29789CB5", "href": "https://vuxml.freebsd.org/freebsd/ccefac3e-2aed-11e3-af10-000c29789cb5.html", "title": "polarssl -- Timing attack against protected RSA-CRT implementation", "type": "freebsd", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:33:21", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1182"], "description": "\nPolarSSL team reports:\n\nDuring the parsing of a ASN.1 sequence, a pointer in the linked list of asn1_sequence is not\n\t initialized by asn1_get_sequence_of(). In case an error occurs during parsing of the list, a\n\t situation is created where the uninitialized pointer is passed to polarssl_free().\nThis sequence can be triggered when a PolarSSL entity is parsing a certificate. So practically this\n\t means clients when receiving a certificate from the server or servers in case they are actively\n\t asking for a client certificate.\n\n", "edition": 4, "modified": "2015-01-14T00:00:00", "published": "2015-01-14T00:00:00", "id": "A5856EBA-A015-11E4-A680-1C6F65C3C4FF", "href": "https://vuxml.freebsd.org/freebsd/a5856eba-a015-11e4-a680-1c6f65c3c4ff.html", "title": "polarssl -- Remote attack using crafted certificates", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:56", "bulletinFamily": "software", "cvelist": ["CVE-2014-8628"], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-3116-1 security@debian.org\r\nhttp://www.debian.org/security/ Moritz Muehlenhoff\r\nDecember 30, 2014 http://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : polarssl\r\nCVE ID : CVE-2014-8628\r\n\r\nIt was discovered that a memory leak in parsing X.509 certificates may \r\nresult in denial of service.\r\n\r\nFor the stable distribution (wheezy), this problem has been fixed in\r\nversion 1.2.9-1~deb7u4.\r\n\r\nFor the upcoming stable distribution (jessie), this problem has been\r\nfixed in version 1.3.9-1.\r\n\r\nFor the unstable distribution (sid), this problem has been fixed in\r\nversion 1.3.9-1.\r\n\r\nWe recommend that you upgrade your polarssl packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: https://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1\r\n\r\niQIcBAEBAgAGBQJUof1xAAoJEBDCk7bDfE42TrkP/A7Iw+HG6yaSV3DZ4THEAesN\r\nsMApQQT2IyQ/YjxZ+RGKCgowQiiO+eVVYBjM4v0SafIKWHlcvsPIjMXqDHGR6+Dz\r\ngzUAQ1vHBiWw5gI7Ix7dv8jgV0s2yKaSr6YTLBzDbNX6AmUCIaXbZgKe7wTSAf2u\r\n5kuSoPXb+Vf9I08md6hFbEPvEJfnTZFaqiXl+2nRX2NzDBQGQXzyBbr7aPz06+nl\r\nEVE20HClcKqjusCVaB4KCc9if1D3PswxgbdLIpg0BvVfO7ZugZeaZ4A1QHUVUxm0\r\nm4FxAVDXcmQDBIlgKScT/0tgjUOElpVGGjoE4m6tM3gqULVCdw1NPxJm9vd8sglm\r\n462aYOB75hHrKqyR37h6/1t+3dpt9tq1V8ZY931CucnbEnq3xWSkkIKXkFMMIN7R\r\nasXGNanoLVwkLwF5oylqy+asCHW66m00rJmet4b1ZjKNCIdGD7z/QjCymNWXg7Ya\r\nrXtQn7w7qAlijiNPsvnQnh4Rd1QeNYuqpZ7prYvRfcafhPHX1DwQFR3zSnzMxqL6\r\nUNyjOiO4ZWRIWUPJYtGh8j7OnXTlBaRWibzUCSoYE83kvM0lPC/MLy5RQ2BripaO\r\nIk7n++UFVGKtW6wbSI8qLB5H5MOWRl78d8J6Yt7hUcHX/at9+dczbq+h5guXXJwX\r\nl78i+xR59Y4GHHoaUiEN\r\n=6w3n\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "modified": "2014-12-30T00:00:00", "published": "2014-12-30T00:00:00", "id": "SECURITYVULNS:DOC:31581", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31581", "title": "[SECURITY] [DSA 3116-1] polarssl security update", "type": "securityvulns", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:58", "bulletinFamily": "software", "cvelist": ["CVE-2014-8628"], "description": "Memory leak on certificate parsing.", "edition": 1, "modified": "2014-12-30T00:00:00", "published": "2014-12-30T00:00:00", "id": "SECURITYVULNS:VULN:14188", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14188", "title": "PolarSSL DoS", "type": "securityvulns", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:52", "bulletinFamily": "software", "cvelist": ["CVE-2014-4911"], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA512\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-2981-1 security@debian.org\r\nhttp://www.debian.org/security/ Salvatore Bonaccorso\r\nJuly 18, 2014 http://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : polarssl\r\nCVE ID : CVE-2014-4911\r\nDebian Bug : 754655\r\n\r\nA flaw was discovered in PolarSSL, a lightweight crypto and SSL/TLS\r\nlibrary, which can be exploited by a remote unauthenticated attacker to\r\nmount a denial of service against PolarSSL servers that offer GCM\r\nciphersuites. Potentially clients are affected too if a malicious server\r\ndecides to execute the denial of service attack against its clients.\r\n\r\nFor the stable distribution (wheezy), this problem has been fixed in\r\nversion 1.2.9-1~deb7u3.\r\n\r\nFor the testing distribution (jessie), this problem has been fixed in\r\nversion 1.3.7-2.1.\r\n\r\nFor the unstable distribution (sid), this problem has been fixed in\r\nversion 1.3.7-2.1.\r\n\r\nWe recommend that you upgrade your polarssl packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: http://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1\r\n\r\niQIcBAEBCgAGBQJTyTxWAAoJEAVMuPMTQ89EOtgP/jQTbv+uZvjTH1pW9YWdRifE\r\n1u1uqWvBhMySn/SpOi1M8gG8SbI0J3Zf2hhe619GWQTizIGyCsDf912j5EYMPZct\r\nU+4GkGZvH6JSREHFHgzsj4Y284mO6tr4gEmx053tx1JyY4ZE4QCDwVWjXUw/jl6e\r\nvi68m4vf/ul3Bo0oo4eivkAVewQf8zCf4M/nvpL0vKVRVzBaca8K9tEWNdN5vYvJ\r\nMfjF35k6QmHlx1ntr9QwwaUPvuzhDE83CXtdNqKHvIiu31Q1sH7fDWHb+2EXQnJZ\r\nqAa9a4Xz/cCNHNDYJdZKMqQ801b/FAE+WpMv/p+iKZJ+b8Qe4hi1jxnZFSCI8s5S\r\nIAOiyM/xETZGjqywWxIzU8WBvYVRWZX82wL01Pq0uNMhNpdLC1PAV0ayi//4z0iK\r\nEp6O70bCAqxEUpNv71CWJdP/uZg38PCNiDgnV4Il6bXPVpW13l3nWzDKvQmLepdg\r\n32CJ2b93HG4oB9dK5PrAAXsI4q9H0pJihF4oSzqYrxvtk6kN5QGszTguCWNh0zlg\r\nVGgejjww5zKO9vyJdaDoiCn+qBVL08FlTPEMBArulh3R+6D1ih8ftPDlZbNRVQXb\r\nFCPqqZRIeIGBMPGGwmaTMrlC3QGjhJILJxqu5/SpCqGlG+/90cYDrlOwB/9oXtNn\r\nuDyFK2A4oQPutCpJLH91\r\n=/4R/\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "modified": "2014-07-22T00:00:00", "published": "2014-07-22T00:00:00", "id": "SECURITYVULNS:DOC:30941", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30941", "title": "[SECURITY] [DSA 2981-1] polarssl security update", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:56", "bulletinFamily": "software", "cvelist": ["CVE-2014-4911"], "description": "DoS on GCM cypher.", "edition": 1, "modified": "2014-07-22T00:00:00", "published": "2014-07-22T00:00:00", "id": "SECURITYVULNS:VULN:13880", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13880", "title": "PolarSSL DoS", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:53", "bulletinFamily": "software", "cvelist": ["CVE-2013-5915", "CVE-2013-5914", "CVE-2013-4623"], "description": "DoS, buffer overflows, timing attacks.", "edition": 1, "modified": "2013-10-28T00:00:00", "published": "2013-10-28T00:00:00", "id": "SECURITYVULNS:VULN:13381", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13381", "title": "PolarSSL multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:49", "bulletinFamily": "software", "cvelist": ["CVE-2013-5915", "CVE-2013-5914", "CVE-2013-4623"], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-2782-1 security@debian.org\r\nhttp://www.debian.org/security/ Moritz Muehlenhoff\r\nOctober 20, 2013 http://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : polarssl\r\nVulnerability : several\r\nProblem type : remote\r\nDebian-specific: no\r\nCVE ID : CVE-2013-4623 CVE-2013-5914 CVE-2013-5915\r\n\r\nMultiple security issues have been discovered in PolarSSL, a lightweight \r\ncrypto and SSL/TLS library:\r\n\r\nCVE-2013-4623\r\n\r\n Jack Lloyd discovered a denial of service vulnerability in the \r\n parsing of PEM-encoded certificates.\r\n\r\nCVE-2013-5914\r\n\r\n Paul Brodeur and TrustInSoft discovered a buffer overflow in the\r\n ssl_read_record() function, allowing the potential execution of\r\n arbitrary code.\r\n\r\nCVE-2013-5915\r\n\r\n Cyril Arnaud and Pierre-Alain Fouque discovered timimg attacks against\r\n the RSA implementation.\r\n\r\nFor the oldstable distribution (squeeze), these problems will be fixed in\r\nversion 1.2.9-1~deb6u1 soon (due to a technical limitation the updates\r\ncannot be released synchronously).\r\n\r\nFor the stable distribution (wheezy), these problems have been fixed in\r\nversion 1.2.9-1~deb7u1.\r\n\r\nFor the unstable distribution (sid), these problems have been fixed in\r\nversion 1.3.1-1.\r\n\r\nWe recommend that you upgrade your polarssl packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: http://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n\r\n\r\n\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.15 (GNU/Linux)\r\n\r\niEYEARECAAYFAlJkB2wACgkQXm3vHE4uylpw4wCgviIBtPeDGMTJnYSKl+Nts1wl\r\nhQsAoMMlNgR/ksIHwiSoiIVla+xTyRTE\r\n=sY+z\r\n-----END PGP SIGNATURE-----\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n", "edition": 1, "modified": "2013-10-28T00:00:00", "published": "2013-10-28T00:00:00", "id": "SECURITYVULNS:DOC:29976", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29976", "title": "[SECURITY] [DSA 2782-1] polarssl security update", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "debian": [{"lastseen": "2020-08-12T00:52:23", "bulletinFamily": "unix", "cvelist": ["CVE-2014-8628"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3116-1 security@debian.org\nhttp://www.debian.org/security/ Moritz Muehlenhoff\nDecember 30, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : polarssl\nCVE ID : CVE-2014-8628\n\nIt was discovered that a memory leak in parsing X.509 certificates may \nresult in denial of service.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 1.2.9-1~deb7u4.\n\nFor the upcoming stable distribution (jessie), this problem has been\nfixed in version 1.3.9-1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.3.9-1.\n\nWe recommend that you upgrade your polarssl packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 7, "modified": "2014-12-30T01:20:15", "published": "2014-12-30T01:20:15", "id": "DEBIAN:DSA-3116-1:DEFBB", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2014/msg00307.html", "title": "[SECURITY] [DSA 3116-1] polarssl security update", "type": "debian", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-11-11T13:21:55", "bulletinFamily": "unix", "cvelist": ["CVE-2014-8628"], "description": "Package : polarssl\nVersion : 1.2.9-1~deb6u3\nCVE ID : CVE-2014-8628\n\nIt was discovered that a memory leak in parsing X.509 certificates may\nresult in denial of service.\n", "edition": 11, "modified": "2015-01-03T21:45:33", "published": "2015-01-03T21:45:33", "id": "DEBIAN:DLA-129-1:D0542", "href": "https://lists.debian.org/debian-lts-announce/2015/debian-lts-announce-201501/msg00001.html", "title": "[SECURITY] [DLA 129-1] polarssl security update", "type": "debian", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-08-12T01:03:00", "bulletinFamily": "unix", "cvelist": ["CVE-2014-4911"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2981-1 security@debian.org\nhttp://www.debian.org/security/ Salvatore Bonaccorso\nJuly 18, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : polarssl\nCVE ID : CVE-2014-4911\nDebian Bug : 754655\n\nA flaw was discovered in PolarSSL, a lightweight crypto and SSL/TLS\nlibrary, which can be exploited by a remote unauthenticated attacker to\nmount a denial of service against PolarSSL servers that offer GCM\nciphersuites. Potentially clients are affected too if a malicious server\ndecides to execute the denial of service attack against its clients.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 1.2.9-1~deb7u3.\n\nFor the testing distribution (jessie), this problem has been fixed in\nversion 1.3.7-2.1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.3.7-2.1.\n\nWe recommend that you upgrade your polarssl packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 7, "modified": "2014-07-18T15:26:20", "published": "2014-07-18T15:26:20", "id": "DEBIAN:DSA-2981-1:B676B", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2014/msg00163.html", "title": "[SECURITY] [DSA 2981-1] polarssl security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-11-11T13:29:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-4911"], "description": "Package : polarssl\nVersion : 1.2.9-1~deb6u2\nCVE ID : CVE-2014-4911\nDebian Bug : #754655\n\nDenial of Service against GCM enabled servers (and clients).\n\n\n", "edition": 7, "modified": "2014-08-11T17:46:43", "published": "2014-08-11T17:46:43", "id": "DEBIAN:DLA-36-1:970BC", "href": "https://lists.debian.org/debian-lts-announce/2014/debian-lts-announce-201408/msg00010.html", "title": "[DLA 36-1] polarssl security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-30T02:23:09", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1182"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3136-1 security@debian.org\nhttp://www.debian.org/security/ Salvatore Bonaccorso\nJanuary 24, 2015 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : polarssl\nCVE ID : CVE-2015-1182\nDebian Bug : 775776\n\nA vulnerability was discovered in PolarSSL, a lightweight crypto and\nSSL/TLS library. A remote attacker could exploit this flaw using\nspecially crafted certificates to mount a denial of service against an\napplication linked against the library (application crash), or\npotentially, to execute arbitrary code.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 1.2.9-1~deb7u5.\n\nFor the upcoming stable distribution (jessie) and the unstable\ndistribution (sid), this problem will be fixed soon.\n\nWe recommend that you upgrade your polarssl packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 3, "modified": "2015-01-24T09:22:31", "published": "2015-01-24T09:22:31", "id": "DEBIAN:DSA-3136-1:5CEF5", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00019.html", "title": "[SECURITY] [DSA 3136-1] polarssl security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-11T13:19:58", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1182"], "description": "Package : polarssl\nVersion : 1.2.9-1~deb6u4\nCVE ID : CVE-2015-1182\n\nA vulnerability was discovered in PolarSSL, a lightweight crypto and\nSSL/TLS library. A remote attacker could exploit this flaw using\nspecially crafted certificates to mount a denial of service against an\napplication linked against the library (application crash), or\npotentially, to execute arbitrary code.\n", "edition": 7, "modified": "2015-01-29T21:45:23", "published": "2015-01-29T21:45:23", "id": "DEBIAN:DLA-144-1:50BA1", "href": "https://lists.debian.org/debian-lts-announce/2015/debian-lts-announce-201501/msg00018.html", "title": "[SECURITY] [DLA 144-1] polarssl security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-11T13:19:47", "bulletinFamily": "unix", "cvelist": ["CVE-2013-5915", "CVE-2013-5914", "CVE-2013-4623"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2782-1 security@debian.org\nhttp://www.debian.org/security/ Moritz Muehlenhoff\nOctober 20, 2013 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : polarssl\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2013-4623 CVE-2013-5914 CVE-2013-5915\n\nMultiple security issues have been discovered in PolarSSL, a lightweight \ncrypto and SSL/TLS library:\n\nCVE-2013-4623\n\n Jack Lloyd discovered a denial of service vulnerability in the \n parsing of PEM-encoded certificates.\n\nCVE-2013-5914\n\n Paul Brodeur and TrustInSoft discovered a buffer overflow in the\n ssl_read_record() function, allowing the potential execution of\n arbitrary code.\n\nCVE-2013-5915\n\n Cyril Arnaud and Pierre-Alain Fouque discovered timimg attacks against\n the RSA implementation.\n\nFor the oldstable distribution (squeeze), these problems will be fixed in\nversion 1.2.9-1~deb6u1 soon (due to a technical limitation the updates\ncannot be released synchronously).\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 1.2.9-1~deb7u1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.3.1-1.\n\nWe recommend that you upgrade your polarssl packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n\n\n\n\n\n", "edition": 4, "modified": "2013-10-20T16:41:46", "published": "2013-10-20T16:41:46", "id": "DEBIAN:DSA-2782-1:1D605", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2013/msg00193.html", "title": "[SECURITY] [DSA 2782-1] polarssl security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:48", "bulletinFamily": "unix", "cvelist": ["CVE-2014-8628", "CVE-2014-8627"], "description": "- CVE-2014-8627 (weak signature negotiation)\nA mistake resulted in servers negotiating the lowest common hash from\nsignature_algorithms extension in TLS 1.2.\n\n- CVE-2014-8628 (memory leaks)\nTwo issues were found that result in remotely triggerable memory leaks\nwhen parsing crafted ClientHello messages or X.509 certificates.", "modified": "2014-11-06T00:00:00", "published": "2014-11-06T00:00:00", "id": "ASA-201411-4", "href": "https://lists.archlinux.org/pipermail/arch-security/2014-November/000129.html", "type": "archlinux", "title": "polarssl: multiple issues", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-09-02T18:44:45", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1182"], "description": "During the parsing of a ASN.1 sequence, a pointer in the linked list of\nasn1_sequence is not initialized by asn1_get_sequence_of(). In case an\nerror occurs during parsing of the list, a situation is created where\nthe uninitialized pointer is passed to polarssl_free().\n\nThis sequence can be triggered when a PolarSSL entity is parsing a\ncertificate. So practically this means clients when receiving a\ncertificate from the server or servers in case they are actively asking\nfor a client certificate.", "modified": "2015-01-20T00:00:00", "published": "2015-01-20T00:00:00", "id": "ASA-201501-13", "href": "https://lists.archlinux.org/pipermail/arch-security/2015-January/000209.html", "type": "archlinux", "title": "polarssl: remote code execution", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "gentoo": [{"lastseen": "2018-01-15T09:18:13", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1182", "CVE-2015-7575"], "description": "### Background\n\nPolarSSL is a cryptographic library for embedded systems.\n\n### Description\n\nMultiple vulnerabilities have been discovered in PolarSSL. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker might be able to execute arbitrary code, cause Denial of Service condition or obtain sensitive information. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nGentoo has discontinued support for PolarSSL and recommends that users unmerge the package: \n \n \n # emerge --unmerge \"net-libs/polarssl\"", "edition": 1, "modified": "2018-01-15T00:00:00", "published": "2018-01-15T00:00:00", "href": "https://security.gentoo.org/glsa/201801-15", "id": "GLSA-201801-15", "type": "gentoo", "title": "PolarSSL: Multiple vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-06T19:45:59", "bulletinFamily": "unix", "cvelist": ["CVE-2013-0169", "CVE-2013-5915", "CVE-2012-2130", "CVE-2011-1923", "CVE-2013-1621", "CVE-2013-4623"], "description": "### Background\n\nPolarSSL is a cryptographic library for embedded systems.\n\n### Description\n\nMultiple vulnerabilities have been discovered in PolarSSL. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker might be able to cause Denial of Service, conduct a man-in-the middle attack, compromise an encrypted communication channel, or obtain sensitive information. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll PolarSSL users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-libs/polarssl-1.3.0\"", "edition": 1, "modified": "2013-10-17T00:00:00", "published": "2013-10-17T00:00:00", "id": "GLSA-201310-10", "href": "https://security.gentoo.org/glsa/201310-10", "type": "gentoo", "title": "PolarSSL: Multiple vulnerabilities", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}]}