Security update for mbedtls
SUSE Patch
security@suse.de
SUSE Security Team
openSUSE-SU-2016:0162-1
Final
1
1
2016-01-19T08:03:15Z
current
2016-01-19T08:03:15Z
2016-01-19T08:03:15Z
cve-database/bin/generate-cvrf.pl
2017-02-24T01:00:00Z
Security update for mbedtls
This update to mbedtls 1.3.16 fixes the following security issues:
* CVE-2015-7575: Disables by default MD5 handshake signatures in TLS 1.2 to prevent the SLOTH attack on TLS 1.2 server authentication (boo#961284)
* boo#961290: potential double free during certificate generation
The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0)
https://lists.opensuse.org/opensuse-updates/2016-01/msg00059.html
E-Mail link for openSUSE-SU-2016:0162-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
openSUSE Leap 42.1
libmbedtls9-1.3.16-9.1
libmbedtls9-32bit-1.3.16-9.1
mbedtls-1.3.16-9.1
mbedtls-devel-1.3.16-9.1
libmbedtls9-1.3.16-9.1 as a component of openSUSE Leap 42.1
libmbedtls9-32bit-1.3.16-9.1 as a component of openSUSE Leap 42.1
mbedtls-1.3.16-9.1 as a component of openSUSE Leap 42.1
mbedtls-devel-1.3.16-9.1 as a component of openSUSE Leap 42.1
Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.
CVE-2015-7575
openSUSE Leap 42.1:libmbedtls9-1.3.16-9.1
openSUSE Leap 42.1:libmbedtls9-32bit-1.3.16-9.1
openSUSE Leap 42.1:mbedtls-1.3.16-9.1
openSUSE Leap 42.1:mbedtls-devel-1.3.16-9.1
moderate
4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N
Please Install the update.
https://lists.opensuse.org/opensuse-updates/2016-01/msg00059.html
https://www.suse.com/security/cve/CVE-2015-7575.html
CVE-2015-7575
https://bugzilla.suse.com/959888
SUSE Bug 959888
https://bugzilla.suse.com/960402
SUSE Bug 960402
https://bugzilla.suse.com/960996
SUSE Bug 960996
https://bugzilla.suse.com/961280
SUSE Bug 961280
https://bugzilla.suse.com/961281
SUSE Bug 961281
https://bugzilla.suse.com/961282
SUSE Bug 961282
https://bugzilla.suse.com/961283
SUSE Bug 961283
https://bugzilla.suse.com/961284
SUSE Bug 961284
https://bugzilla.suse.com/961290
SUSE Bug 961290
https://bugzilla.suse.com/961357
SUSE Bug 961357
https://bugzilla.suse.com/962743
SUSE Bug 962743
https://bugzilla.suse.com/963937
SUSE Bug 963937
https://bugzilla.suse.com/967521
SUSE Bug 967521
https://bugzilla.suse.com/981087
SUSE Bug 981087