libmbedcrypto7-2.28.3-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12903-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libmbedcrypto7-2.28.3-1.1 on GA media These are all security issues fixed in the libmbedcrypto7-2.28.3-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12903 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2014-8627/ SUSE CVE CVE-2014-8627 page https://www.suse.com/security/cve/CVE-2014-8628/ SUSE CVE CVE-2014-8628 page https://www.suse.com/security/cve/CVE-2015-1182/ SUSE CVE CVE-2015-1182 page https://www.suse.com/security/cve/CVE-2015-5291/ SUSE CVE CVE-2015-5291 page https://www.suse.com/security/cve/CVE-2015-7575/ SUSE CVE CVE-2015-7575 page openSUSE Tumbleweed libmbedcrypto7-2.28.3-1.1 libmbedcrypto7-x86-64-v3-2.28.3-1.1 libmbedtls14-2.28.3-1.1 libmbedtls14-x86-64-v3-2.28.3-1.1 libmbedx509-1-2.28.3-1.1 libmbedx509-1-x86-64-v3-2.28.3-1.1 mbedtls-2-devel-2.28.3-1.1 libmbedcrypto7-2.28.3-1.1 as a component of openSUSE Tumbleweed libmbedcrypto7-x86-64-v3-2.28.3-1.1 as a component of openSUSE Tumbleweed libmbedtls14-2.28.3-1.1 as a component of openSUSE Tumbleweed libmbedtls14-x86-64-v3-2.28.3-1.1 as a component of openSUSE Tumbleweed libmbedx509-1-2.28.3-1.1 as a component of openSUSE Tumbleweed libmbedx509-1-x86-64-v3-2.28.3-1.1 as a component of openSUSE Tumbleweed mbedtls-2-devel-2.28.3-1.1 as a component of openSUSE Tumbleweed PolarSSL 1.3.8 does not properly negotiate the signature algorithm to use, which allows remote attackers to conduct downgrade attacks via unspecified vectors. CVE-2014-8627 openSUSE Tumbleweed:libmbedcrypto7-2.28.3-1.1 openSUSE Tumbleweed:libmbedcrypto7-x86-64-v3-2.28.3-1.1 openSUSE Tumbleweed:libmbedtls14-2.28.3-1.1 openSUSE Tumbleweed:libmbedtls14-x86-64-v3-2.28.3-1.1 openSUSE Tumbleweed:libmbedx509-1-2.28.3-1.1 openSUSE Tumbleweed:libmbedx509-1-x86-64-v3-2.28.3-1.1 openSUSE Tumbleweed:mbedtls-2-devel-2.28.3-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-8627.html CVE-2014-8627 https://bugzilla.suse.com/903672 SUSE Bug 903672 Memory leak in PolarSSL before 1.2.12 and 1.3.x before 1.3.9 allows remote attackers to cause a denial of service (memory consumption) via a large number of crafted X.509 certificates. NOTE: this identifier has been SPLIT per ADT3 due to different affected versions. See CVE-2014-9744 for the ClientHello message issue. CVE-2014-8628 openSUSE Tumbleweed:libmbedcrypto7-2.28.3-1.1 openSUSE Tumbleweed:libmbedcrypto7-x86-64-v3-2.28.3-1.1 openSUSE Tumbleweed:libmbedtls14-2.28.3-1.1 openSUSE Tumbleweed:libmbedtls14-x86-64-v3-2.28.3-1.1 openSUSE Tumbleweed:libmbedx509-1-2.28.3-1.1 openSUSE Tumbleweed:libmbedx509-1-x86-64-v3-2.28.3-1.1 openSUSE Tumbleweed:mbedtls-2-devel-2.28.3-1.1 moderate 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-8628.html CVE-2014-8628 https://bugzilla.suse.com/903672 SUSE Bug 903672 The asn1_get_sequence_of function in library/asn1parse.c in PolarSSL 1.0 through 1.2.12 and 1.3.x through 1.3.9 does not properly initialize a pointer in the asn1_sequence linked list, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ASN.1 sequence in a certificate. CVE-2015-1182 openSUSE Tumbleweed:libmbedcrypto7-2.28.3-1.1 openSUSE Tumbleweed:libmbedcrypto7-x86-64-v3-2.28.3-1.1 openSUSE Tumbleweed:libmbedtls14-2.28.3-1.1 openSUSE Tumbleweed:libmbedtls14-x86-64-v3-2.28.3-1.1 openSUSE Tumbleweed:libmbedx509-1-2.28.3-1.1 openSUSE Tumbleweed:libmbedx509-1-x86-64-v3-2.28.3-1.1 openSUSE Tumbleweed:mbedtls-2-devel-2.28.3-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-1182.html CVE-2015-1182 https://bugzilla.suse.com/913903 SUSE Bug 913903 Heap-based buffer overflow in PolarSSL 1.x before 1.2.17 and ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long hostname to the server name indication (SNI) extension, which is not properly handled when creating a ClientHello message. NOTE: this identifier has been SPLIT per ADT3 due to different affected version ranges. See CVE-2015-8036 for the session ticket issue that was introduced in 1.3.0. CVE-2015-5291 openSUSE Tumbleweed:libmbedcrypto7-2.28.3-1.1 openSUSE Tumbleweed:libmbedcrypto7-x86-64-v3-2.28.3-1.1 openSUSE Tumbleweed:libmbedtls14-2.28.3-1.1 openSUSE Tumbleweed:libmbedtls14-x86-64-v3-2.28.3-1.1 openSUSE Tumbleweed:libmbedx509-1-2.28.3-1.1 openSUSE Tumbleweed:libmbedx509-1-x86-64-v3-2.28.3-1.1 openSUSE Tumbleweed:mbedtls-2-devel-2.28.3-1.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-5291.html CVE-2015-5291 https://bugzilla.suse.com/949380 SUSE Bug 949380 https://bugzilla.suse.com/989694 SUSE Bug 989694 Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision. CVE-2015-7575 openSUSE Tumbleweed:libmbedcrypto7-2.28.3-1.1 openSUSE Tumbleweed:libmbedcrypto7-x86-64-v3-2.28.3-1.1 openSUSE Tumbleweed:libmbedtls14-2.28.3-1.1 openSUSE Tumbleweed:libmbedtls14-x86-64-v3-2.28.3-1.1 openSUSE Tumbleweed:libmbedx509-1-2.28.3-1.1 openSUSE Tumbleweed:libmbedx509-1-x86-64-v3-2.28.3-1.1 openSUSE Tumbleweed:mbedtls-2-devel-2.28.3-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7575.html CVE-2015-7575 https://bugzilla.suse.com/959888 SUSE Bug 959888 https://bugzilla.suse.com/960402 SUSE Bug 960402 https://bugzilla.suse.com/960996 SUSE Bug 960996 https://bugzilla.suse.com/961280 SUSE Bug 961280 https://bugzilla.suse.com/961281 SUSE Bug 961281 https://bugzilla.suse.com/961282 SUSE Bug 961282 https://bugzilla.suse.com/961283 SUSE Bug 961283 https://bugzilla.suse.com/961284 SUSE Bug 961284 https://bugzilla.suse.com/961290 SUSE Bug 961290 https://bugzilla.suse.com/961357 SUSE Bug 961357 https://bugzilla.suse.com/962743 SUSE Bug 962743 https://bugzilla.suse.com/963937 SUSE Bug 963937 https://bugzilla.suse.com/967521 SUSE Bug 967521 https://bugzilla.suse.com/981087 SUSE Bug 981087