polarssl - several

2013-10-2000:00:00

Google

osv.dev

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.067 Low

EPSS

Percentile

92.8%

JSON

Multiple security issues have been discovered in PolarSSL, a lightweight
crypto and SSL/TLS library:

CVE-2013-4623
Jack Lloyd discovered a denial of service vulnerability in the
parsing of PEM-encoded certificates.
CVE-2013-5914
Paul Brodeur and TrustInSoft discovered a buffer overflow in the
ssl_read_record() function, allowing the potential execution of
arbitrary code.
CVE-2013-5915
Cyril Arnaud and Pierre-Alain Fouque discovered timing attacks against
the RSA implementation.

For the oldstable distribution (squeeze), these problems will be fixed in
version 1.2.9-1~deb6u1 soon (due to a technical limitation the updates
cannot be released synchronously).

For the stable distribution (wheezy), these problems have been fixed in
version 1.2.9-1~deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 1.3.1-1.

We recommend that you upgrade your polarssl packages.

CPENameOperatorVersion
polarssleq1.1.4-2
polarssleq1.2.0-1
polarssleq1.2.2-1
polarssleq1.2.3-1
polarssleq1.2.4-1
polarssleq1.2.5-1
polarssleq1.2.6-1
polarssleq1.2.7-1
polarssleq1.2.8-1
polarssleq1.2.8-2

Name	Operator	Version
polarssl	eq	1.1.4-2
polarssl	eq	1.2.0-1
polarssl	eq	1.2.2-1
polarssl	eq	1.2.3-1
polarssl	eq	1.2.4-1
polarssl	eq	1.2.5-1
polarssl	eq	1.2.6-1
polarssl	eq	1.2.7-1
polarssl	eq	1.2.8-1
polarssl	eq	1.2.8-2