libmbedcrypto7-2.27.0-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11043 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libmbedcrypto7-2.27.0-1.2 on GA media These are all security issues fixed in the libmbedcrypto7-2.27.0-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11043 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11043 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-14032/ SUSE CVE CVE-2017-14032 page https://www.suse.com/security/cve/CVE-2017-2784/ SUSE CVE CVE-2017-2784 page https://www.suse.com/security/cve/CVE-2018-0487/ SUSE CVE CVE-2018-0487 page https://www.suse.com/security/cve/CVE-2018-0488/ SUSE CVE CVE-2018-0488 page https://www.suse.com/security/cve/CVE-2018-19608/ SUSE CVE CVE-2018-19608 page openSUSE Tumbleweed libmbedcrypto7-2.27.0-1.2 libmbedcrypto7-32bit-2.27.0-1.2 libmbedtls13-2.27.0-1.2 libmbedtls13-32bit-2.27.0-1.2 libmbedx509-1-2.27.0-1.2 libmbedx509-1-32bit-2.27.0-1.2 mbedtls-devel-2.27.0-1.2 libmbedcrypto7-2.27.0-1.2 as a component of openSUSE Tumbleweed libmbedcrypto7-32bit-2.27.0-1.2 as a component of openSUSE Tumbleweed libmbedtls13-2.27.0-1.2 as a component of openSUSE Tumbleweed libmbedtls13-32bit-2.27.0-1.2 as a component of openSUSE Tumbleweed libmbedx509-1-2.27.0-1.2 as a component of openSUSE Tumbleweed libmbedx509-1-32bit-2.27.0-1.2 as a component of openSUSE Tumbleweed mbedtls-devel-2.27.0-1.2 as a component of openSUSE Tumbleweed ARM mbed TLS before 1.3.21 and 2.x before 2.1.9, if optional authentication is configured, allows remote attackers to bypass peer authentication via an X.509 certificate chain with many intermediates. NOTE: although mbed TLS was formerly known as PolarSSL, the releases shipped with the PolarSSL name are not affected. CVE-2017-14032 openSUSE Tumbleweed:libmbedcrypto7-2.27.0-1.2 openSUSE Tumbleweed:libmbedcrypto7-32bit-2.27.0-1.2 openSUSE Tumbleweed:libmbedtls13-2.27.0-1.2 openSUSE Tumbleweed:libmbedtls13-32bit-2.27.0-1.2 openSUSE Tumbleweed:libmbedx509-1-2.27.0-1.2 openSUSE Tumbleweed:libmbedx509-1-32bit-2.27.0-1.2 openSUSE Tumbleweed:mbedtls-devel-2.27.0-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-14032.html CVE-2017-14032 https://bugzilla.suse.com/1056544 SUSE Bug 1056544 An exploitable free of a stack pointer vulnerability exists in the x509 certificate parsing code of ARM mbed TLS before 1.3.19, 2.x before 2.1.7, and 2.4.x before 2.4.2. A specially crafted x509 certificate, when parsed by mbed TLS library, can cause an invalid free of a stack pointer leading to a potential remote code execution. In order to exploit this vulnerability, an attacker can act as either a client or a server on a network to deliver malicious x509 certificates to vulnerable applications. CVE-2017-2784 openSUSE Tumbleweed:libmbedcrypto7-2.27.0-1.2 openSUSE Tumbleweed:libmbedcrypto7-32bit-2.27.0-1.2 openSUSE Tumbleweed:libmbedtls13-2.27.0-1.2 openSUSE Tumbleweed:libmbedtls13-32bit-2.27.0-1.2 openSUSE Tumbleweed:libmbedx509-1-2.27.0-1.2 openSUSE Tumbleweed:libmbedx509-1-32bit-2.27.0-1.2 openSUSE Tumbleweed:mbedtls-devel-2.27.0-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-2784.html CVE-2017-2784 https://bugzilla.suse.com/1029017 SUSE Bug 1029017 ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0 allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow) via a crafted certificate chain that is mishandled during RSASSA-PSS signature verification within a TLS or DTLS session. CVE-2018-0487 openSUSE Tumbleweed:libmbedcrypto7-2.27.0-1.2 openSUSE Tumbleweed:libmbedcrypto7-32bit-2.27.0-1.2 openSUSE Tumbleweed:libmbedtls13-2.27.0-1.2 openSUSE Tumbleweed:libmbedtls13-32bit-2.27.0-1.2 openSUSE Tumbleweed:libmbedx509-1-2.27.0-1.2 openSUSE Tumbleweed:libmbedx509-1-32bit-2.27.0-1.2 openSUSE Tumbleweed:mbedtls-devel-2.27.0-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-0487.html CVE-2018-0487 https://bugzilla.suse.com/1080826 SUSE Bug 1080826 ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0, when the truncated HMAC extension and CBC are used, allows remote attackers to execute arbitrary code or cause a denial of service (heap corruption) via a crafted application packet within a TLS or DTLS session. CVE-2018-0488 openSUSE Tumbleweed:libmbedcrypto7-2.27.0-1.2 openSUSE Tumbleweed:libmbedcrypto7-32bit-2.27.0-1.2 openSUSE Tumbleweed:libmbedtls13-2.27.0-1.2 openSUSE Tumbleweed:libmbedtls13-32bit-2.27.0-1.2 openSUSE Tumbleweed:libmbedx509-1-2.27.0-1.2 openSUSE Tumbleweed:libmbedx509-1-32bit-2.27.0-1.2 openSUSE Tumbleweed:mbedtls-devel-2.27.0-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-0488.html CVE-2018-0488 https://bugzilla.suse.com/1080828 SUSE Bug 1080828 Arm Mbed TLS before 2.14.1, before 2.7.8, and before 2.1.17 allows a local unprivileged attacker to recover the plaintext of RSA decryption, which is used in RSA-without-(EC)DH(E) cipher suites. CVE-2018-19608 openSUSE Tumbleweed:libmbedcrypto7-2.27.0-1.2 openSUSE Tumbleweed:libmbedcrypto7-32bit-2.27.0-1.2 openSUSE Tumbleweed:libmbedtls13-2.27.0-1.2 openSUSE Tumbleweed:libmbedtls13-32bit-2.27.0-1.2 openSUSE Tumbleweed:libmbedx509-1-2.27.0-1.2 openSUSE Tumbleweed:libmbedx509-1-32bit-2.27.0-1.2 openSUSE Tumbleweed:mbedtls-devel-2.27.0-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-19608.html CVE-2018-19608 https://bugzilla.suse.com/1118727 SUSE Bug 1118727