Red Hat Bugzilla – Bug 908425
CVE-2013-1622 polarssl: improper MAC check if sanity check fails leads to DoS
Last modified: 2013-02-27 20:20:59 EST
In addition to the fix for CVE-2013-0169, PolarSSL 1.2.5 corrects the following problem:
"PolarSSL ... it does not perform any MAC check if this
sanity check fails, but instead exits immediately. This would
render the implementation vulnerable to a simple timing-based
distinguishing attack." (requires a non-default configuration with
"TLS alert messages when decryption errors are encountered")
Created polarssl tracking bugs for this issue
Affects: fedora-all [bug 907982]
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
Reason: This candidate is not a security issue. Further investigation showed that, because of RFC noncompliance, no version or configuration of the product had the vulnerability previously associated with this ID.