Arch Linux Security Advisory ASA-201601-29 ========================================== Severity: Medium Date : 2016-01-25 CVE-ID : CVE-2015-7575 Package : mbedtls Type : man-in-the-middle Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package mbedtls before version 2.2.1-1 is vulnerable to man-in-the-middle. Resolution ========== Upgrade to 2.2.1-1. # pacman -Syu "mbedtls>=2.2.1-1" The problem has been fixed upstream in version 2.2.1. Workaround ========== None. Description =========== mbedTLS before 2.2.1 is vulnerable to the SLOTH attack, breaking MD5 signatures potentially used during TLS 1.2 handshakes to impersonate a TLS server. Impact ====== A remote attacker might be able to impersonate a TLS server, acting as a man-in-the-middle. References ========== https://bugs.archlinux.org/task/47783 https://access.redhat.com/security/cve/CVE-2015-7575 http://www.mitls.org/pages/attacks/SLOTH https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.1-2.1.4-1.3.16-and-po...