UbuntuUpdates.org

Package "libmbedtls10"

Name: libmbedtls10

Description:

lightweight crypto and SSL/TLS library - tls library

Latest version: 2.2.1-2ubuntu0.3
Release: xenial (16.04)
Level: updates
Repository: universe
Head package: mbedtls
Homepage: https://tls.mbed.org/

Links


Download "libmbedtls10"


Other versions of "libmbedtls10" in Xenial

Repository Area Version
base universe 2.2.1-2
security universe 2.2.1-2ubuntu0.3

Changelog

Version: 2.2.1-2ubuntu0.3 2020-02-05 17:07:09 UTC

  mbedtls (2.2.1-2ubuntu0.3) xenial-security; urgency=medium

  * SECURITY UPDATE: Buffer overflows and sensitive information disclousures
    - debian/patches/CVE-2017-18187.patch: Prevent bounds check bypass through
      overflow in PSK identity.
    - debian/patches/CVE-2018-0487.patch: RSA: Fix buffer overflow in PSS
      signature verification.
    - debian/patches/CVE-2018-0488-1.patch: Fix heap corruption in
      ssl_decrypt_buf.
    - debian/patches/CVE-2018-0488-2.patch: Fix SSLv3 MAC computation.
    - debian/patches/CVE-2018-0497.patch: Fix Lucky13 attack protection when
      using HMAC-SHA-384.
    - debian/patches/CVE-2018-0498-1.patch: Fix Lucky13 cache attack on
      MD/SHA padding.
    - debian/patches/CVE-2018-0498-2.patch: Add counter-measure to cache-based
      Lucky 13.
    - debian/patches/CVE-2018-0498-3.patch: Avoid debug message that might
      leak length.
    - CVE-2017-18187
    - CVE-2018-0487
    - CVE-2018-0488
    - CVE-2018-0497
    - CVE-2018-0498
  * SECURITY UPDATE: Update some certificates for the tests
    - debian/patches/regenerate-test-files.patch: Regenerate test files from
      recent version.

 -- Paulo Flabiano Smorigo <email address hidden> Tue, 04 Feb 2020 12:56:35 +0000

Source diff to previous version
CVE-2017-18187 In ARM mbed TLS before 2.7.0, there is a bounds-check bypass through an integer overflow in PSK identity parsing in the ssl_parse_client_psk_identity
CVE-2018-0487 ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0 allows remote attackers to execute arbitrary code or cause a denial of service (buffer ov
CVE-2018-0488 ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0, when the truncated HMAC extension and CBC are used, allows remote attackers to execute a
CVE-2018-0497 ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows remote attackers to achieve partial plaintext recovery (for a CBC based ciphersuit
CVE-2018-0498 ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows local users to achieve partial plaintext recovery (for a CBC based ciphersuite) vi

Version: 2.2.1-2ubuntu0.2 2017-09-08 05:06:34 UTC

  mbedtls (2.2.1-2ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: If optional authentication is configured, allows
    remote attackers to bypass peer authentication via an X.509 certificate
    chain with many intermediates. (LP: #1714640)
    - debian/patches/CVE-2017-14032.patch, backport two upstream patches to
      return and handle a new "fatal error" error code in case of long
      certificate chains.
    - CVE-2017-14032

 -- James Cowgill <email address hidden> Wed, 06 Sep 2017 21:00:51 +0100

Source diff to previous version

Version: 2.2.1-2ubuntu0.1 2017-03-24 08:06:58 UTC

  mbedtls (2.2.1-2ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Freeing of memory allocated on stack when validating
    a public key with a secp224k1 curve. (LP: #1672686)
    - debian/patches/CVE-2017-2784.patch: fix buffer size calculations in
      library/ecp_curves.c.
    - CVE-2017-2784

 -- James Cowgill <email address hidden> Fri, 17 Mar 2017 09:36:37 +0000

1672686 CVE-2017-2784 - Freeing of memory allocated on stack when validating a public key with a secp224k1 curve



About   -   Send Feedback to @ubuntu_updates