[arch-security] [Arch Linux Security Advisory ASA-201411-4] polarssl: multiple issues
anthraxx at archlinux.org
Thu Nov 6 20:23:10 UTC 2014
Arch Linux Security Advisory ASA-201411-4
Date : 2014-11-06
CVE-ID : CVE-2014-8627, CVE-2014-8628
Package : polarssl
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE-2014
The package polarssl before version 1.3.9-1 is vulnerable to multiple
issues including weak signature negotiation and remotely triggerable
Upgrade to 1.3.9-1.
# pacman -Syu "polarssl>=1.3.9-1"
The problem has been fixed upstream in version 1.3.9.
- CVE-2014-8627 (weak signature negotiation)
A mistake resulted in servers negotiating the lowest common hash from
signature_algorithms extension in TLS 1.2.
- CVE-2014-8628 (memory leaks)
Two issues were found that result in remotely triggerable memory leaks
when parsing crafted ClientHello messages or X.509 certificates.
A remote attacker is able to trigger memory leaks which may result in
memory exhaustion and therefore denial of service. Additionally due to
weak negotiated signature algorithms an attacker may be able to perform
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-security