In addition to the fix for CVE-2013-0169, PolarSSL 1.2.5 corrects the following problem: "PolarSSL ... it does not perform any MAC check if this sanity check fails, but instead exits immediately. This would render the implementation vulnerable to a simple timing-based distinguishing attack." (requires a non-default configuration with "TLS alert messages when decryption errors are encountered")
Created polarssl tracking bugs for this issue Affects: fedora-all [bug 907982]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1622 says ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is not a security issue. Further investigation showed that, because of RFC noncompliance, no version or configuration of the product had the vulnerability previously associated with this ID. Notes: none.