903672 – (CVE-2014-8627) VUL-0: CVE-2014-8627: polarssl: polarssl 1.3.8 used in a server picks weaker signature algorithm than available

Bug 903672 (CVE-2014-8627) - VUL-0: CVE-2014-8627: polarssl: polarssl 1.3.8 used in a server picks weaker signature algorithm than available

Summary: VUL-0: CVE-2014-8627: polarssl: polarssl 1.3.8 used in a server picks weaker ...

Status:	RESOLVED FIXED

Alias:	CVE-2014-8627

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Mariusz Fik
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-11-03 12:47 UTC by Mariusz Fik
Modified:	2014-11-20 07:51 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mariusz Fik 2014-11-03 12:47:31 UTC

"On the security front this release fixes a mistake in the negotiation introduced in PolarSSL 1.3.8. The mistake resulted in servers negotiating a weaker signature algorithm than available. In addition two remotely-triggerable memory leaks were found by the Codenomicon Defensics tool and fixed in this release.

No new features are introduced in this release. A number of changes in behaviour and bug fixes are included."

https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released

Comment 1 Marcus Meissner 2014-11-04 07:01:07 UTC

(is in 13.2, so needs an update)

and also needs CVEs.

Comment 2 Marcus Meissner 2014-11-04 07:03:26 UTC

assigned Mariusz as maintainer of polarssl in OBS and reassign bug to him.

Comment 3 Marcus Meissner 2014-11-04 07:07:25 UTC

request cve(s) on oss-sec

Comment 4 Swamp Workflow Management 2014-11-04 23:00:34 UTC

bugbot adjusting priority

Comment 5 Mariusz Fik 2014-11-05 22:28:47 UTC

I searched CVE db, but there is no entries about this issue.
Updated package is already in devel project and Factory.

Can I just create maintenance incident?

Comment 6 Marcus Meissner 2014-11-06 07:25:29 UTC

so far no reply on my cve request.

please open a MR without CVEs.

Comment 7 Mariusz Fik 2014-11-06 11:50:07 UTC

Done. rq#260041.

Comment 8 Bernhard Wiedemann 2014-11-06 12:00:15 UTC

This is an autogenerated message for OBS integration:
This bug (903672) was mentioned in
https://build.opensuse.org/request/show/260041 13.2 / polarssl

Comment 9 Marcus Meissner 2014-11-06 12:28:13 UTC

> https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released

> this release fixes a mistake in the negotiation introduced in PolarSSL
> 1.3.8. The mistake resulted in servers negotiating a weaker signature
> algorithm than available.

Use CVE-2014-8627.


> two remotely-triggerable memory leaks were found by the Codenomicon
> Defensics tool and fixed in this release.

Use CVE-2014-8628.

Comment 10 Marcus Meissner 2014-11-10 14:17:05 UTC

(i declined your maintenancerequest, can you resubmit with CVEs added?)

Comment 11 Mariusz Fik 2014-11-10 19:12:58 UTC

Sorry for delay. I filled up .changes with CVE entries. rq#260748

Comment 12 Bernhard Wiedemann 2014-11-10 20:00:40 UTC

This is an autogenerated message for OBS integration:
This bug (903672) was mentioned in
https://build.opensuse.org/request/show/260748 13.2 / polarssl

Comment 13 Swamp Workflow Management 2014-11-19 16:05:38 UTC

openSUSE-SU-2014:1457-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 903671,903672
CVE References: CVE-2014-8627,CVE-2014-8628
Sources used:
openSUSE 13.2 (src):    polarssl-1.3.9-4.1

Comment 14 Marcus Meissner 2014-11-20 07:51:55 UTC

was released