-
mbedtls (2.2.1-2ubuntu0.3) xenial-security; urgency=medium
* SECURITY UPDATE: Buffer overflows and sensitive information disclousures
- debian/patches/CVE-2017-18187.patch: Prevent bounds check bypass through
overflow in PSK identity.
- debian/patches/CVE-2018-0487.patch: RSA: Fix buffer overflow in PSS
signature verification.
- debian/patches/CVE-2018-0488-1.patch: Fix heap corruption in
ssl_decrypt_buf.
- debian/patches/CVE-2018-0488-2.patch: Fix SSLv3 MAC computation.
- debian/patches/CVE-2018-0497.patch: Fix Lucky13 attack protection when
using HMAC-SHA-384.
- debian/patches/CVE-2018-0498-1.patch: Fix Lucky13 cache attack on
MD/SHA padding.
- debian/patches/CVE-2018-0498-2.patch: Add counter-measure to cache-based
Lucky 13.
- debian/patches/CVE-2018-0498-3.patch: Avoid debug message that might
leak length.
- CVE-2017-18187
- CVE-2018-0487
- CVE-2018-0488
- CVE-2018-0497
- CVE-2018-0498
* SECURITY UPDATE: Update some certificates for the tests
- debian/patches/regenerate-test-files.patch: Regenerate test files from
recent version.
-- Paulo Flabiano Smorigo <email address hidden> Tue, 04 Feb 2020 12:56:35 +0000
-
mbedtls (2.2.1-2ubuntu0.2) xenial-security; urgency=medium
* SECURITY UPDATE: If optional authentication is configured, allows
remote attackers to bypass peer authentication via an X.509 certificate
chain with many intermediates. (LP: #1714640)
- debian/patches/CVE-2017-14032.patch, backport two upstream patches to
return and handle a new "fatal error" error code in case of long
certificate chains.
- CVE-2017-14032
-- James Cowgill <email address hidden> Wed, 06 Sep 2017 21:00:51 +0100
-
mbedtls (2.2.1-2ubuntu0.1) xenial-security; urgency=medium
* SECURITY UPDATE: Freeing of memory allocated on stack when validating
a public key with a secp224k1 curve. (LP: #1672686)
- debian/patches/CVE-2017-2784.patch: fix buffer size calculations in
library/ecp_curves.c.
- CVE-2017-2784
-- James Cowgill <email address hidden> Fri, 17 Mar 2017 09:36:37 +0000
-
mbedtls (2.2.1-2) unstable; urgency=medium
* debian/control:
- Use secure Vcs-Git URL.
* debian/libmbedcrypto0.lintian-override:
- Drop now that lintian itself has been fixed.
* debian/rules:
- Don't build arch:any packages in arch:all build.
* debian/*.symbols:
- Drop unnecessary patch level from symbol file versions.
* debian/tests:
- Add an autopkgtest which compiles and runs the selftest program.
-- James Cowgill <email address hidden> Sat, 16 Jan 2016 00:12:49 +0000
-
mbedtls (2.2.1-1) unstable; urgency=medium
* New upstream version.
-- James Cowgill <email address hidden> Tue, 05 Jan 2016 13:15:33 +0000
-
mbedtls (2.2.0-1) unstable; urgency=medium
* New upstream version.
* debian/changelog:
- Include changelog entries from the polarssl package.
* debian/*.symbols:
- Add new symbols introduced in 2.2.
* debian/rules:
- Don't build documentation in binary-only builds.
-- James Cowgill <email address hidden> Tue, 15 Dec 2015 14:43:09 +0000
-
mbedtls (2.1.2-1) unstable; urgency=medium
* Initial release. (Closes: #801420)
-- James Cowgill <email address hidden> Fri, 16 Oct 2015 12:55:27 +0100
