Bug 1297437
Summary: | mbedtls, polarssl: potential double free during certificate generation | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | mads, mstevens, redhat-bugzilla |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | mbedtls 2.2.1, mbedtls 2.1.4, mbedtls 1.3.16, polarssl 1.2.19 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-21 00:49:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1297438, 1297439 | ||
Bug Blocks: |
Description
Andrej Nemec
2016-01-11 14:15:27 UTC
Fedora 22, package polarssl, is not vulnerable because it currently has polarssl-1.3.9-3.fc22 in stable Created mbedtls tracking bugs for this issue: Affects: fedora-all [bug 1297438] Affects: epel-all [bug 1297439] Please note: PolarSSL has been replaced with mbedTLS. We do no longer support PolarSSL. (In reply to Morten Stevens from comment #3) > Please note: PolarSSL has been replaced with mbedTLS. We do no longer > support PolarSSL. Hi, unfortunately the polarssl package is still available in the latest version of Fedora. If you no longer support PolarSSL and will not build new fixed versions, then the package should be removed according to the guidelines in: https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life (In reply to Martin Prpic from comment #4) > (In reply to Morten Stevens from comment #3) > > Please note: PolarSSL has been replaced with mbedTLS. We do no longer > > support PolarSSL. > > Hi, unfortunately the polarssl package is still available in the latest > version of Fedora. If you no longer support PolarSSL and will not build new > fixed versions, then the package should be removed according to the > guidelines in: > > https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life Of course, that has already happened: https://admin.fedoraproject.org/pkgdb/package/rpms/polarssl/ Regarding to Fedora 22: You'll get mbedTLS automatically if you have the older PolarSSL installed. (In reply to Morten Stevens from comment #5) > (In reply to Martin Prpic from comment #4) > > (In reply to Morten Stevens from comment #3) > > > Please note: PolarSSL has been replaced with mbedTLS. We do no longer > > > support PolarSSL. > > > > Hi, unfortunately the polarssl package is still available in the latest > > version of Fedora. If you no longer support PolarSSL and will not build new > > fixed versions, then the package should be removed according to the > > guidelines in: > > > > https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life > > Of course, that has already happened: > https://admin.fedoraproject.org/pkgdb/package/rpms/polarssl/ > Ah, cool, this build confused me because it's tagged as f23 but not actually in the mirrors: http://koji.fedoraproject.org/koji/buildinfo?buildID=658695 > Regarding to Fedora 22: You'll get mbedTLS automatically if you have the > older PolarSSL installed. Fair enough, thanks! mbedtls-2.2.1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. mbedtls-1.3.16-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. mbedtls-2.2.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. mbedtls-2.2.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. mbedtls-2.2.1-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. |