Bug#801413: polarssl: CVE-2015-5291: Remote attack on clients using session tickets or SNI

Hi, On Tue, 2015-10-27 at 22:29 +0100, Moritz Mühlenhoff wrote: > On Wed, Oct 21, 2015 at 01:43:26PM +0100, James Cowgill wrote: > > Hi, > > > > On Tue, 2015-10-20 at 19:37 +0200, Florian Weimer wrote: > > > * James Cowgill: > > [...] > > > > One thing which was suggested was to use 1.3.14 and

Bug#801413: polarssl: CVE-2015-5291: Remote attack on clients using session tickets or SNI

On Wed, Oct 21, 2015 at 01:43:26PM +0100, James Cowgill wrote: > Hi, > > On Tue, 2015-10-20 at 19:37 +0200, Florian Weimer wrote: > > * James Cowgill: > [...] > > > One thing which was suggested was to use 1.3.14 and then disable at > > > compile time all the new features which may affect the ABI

Bug#801413: polarssl: CVE-2015-5291: Remote attack on clients using session tickets or SNI

Hi, So regardless of the ABI issues affecting jessie, the first thing to do is to fix this in unstable which can be done by just uploading 1.3.14 and doing an ABI transition. I've attached a debdiff for an NMU to experimental which would start this off. The orig tarball is not included in the

Bug#801413: polarssl: CVE-2015-5291: Remote attack on clients using session tickets or SNI

Hi, On Tue, 2015-10-20 at 19:37 +0200, Florian Weimer wrote: > * James Cowgill: [...] > > One thing which was suggested was to use 1.3.14 and then disable at > > compile time all the new features which may affect the ABI and then > > revert the SONAME change, but is doing that actually allowed

Bug#801413: polarssl: CVE-2015-5291: Remote attack on clients using session tickets or SNI

Hi, So I asked upstream about the specific commits which fixed this bug here: https://tls.mbed.org/discussions/bug-report-issues/question-about-cve-2015-5291 They seemed pretty resistive to the idea of just adding specific patches on top of 1.3.9, and if you look at the changelog there are a

Bug#801413: polarssl: CVE-2015-5291: Remote attack on clients using session tickets or SNI

* James Cowgill: > They seemed pretty resistive to the idea of just adding specific > patches on top of 1.3.9, and if you look at the changelog there are a > number of other security bugs which seem important but don't have CVEs > because they couldn't be triggered remotely. >

Bug#801413: polarssl: CVE-2015-5291: Remote attack on clients using session tickets or SNI

On Fri, 09 Oct 2015 22:02:21 +0200 Salvatore Bonaccorso wrote: > Source: polarssl > Version: 1.2.8-2 > Severity: grave > Tags: security upstream fixed-upstream > > Hi, > > the following vulnerability was published for polarssl. > > CVE-2015-5291[0]: > Remote attack on

Bug#801413: polarssl: CVE-2015-5291: Remote attack on clients using session tickets or SNI

Source: polarssl Version: 1.2.8-2 Severity: grave Tags: security upstream fixed-upstream Hi, the following vulnerability was published for polarssl. CVE-2015-5291[0]: Remote attack on clients using session tickets or SNI It has been fixed in PolarSSL 1.2.17 branch, then the rebranded mbed TLS