A flaw was found in PolarSSl and mbed TLS: When the client creates its ClientHello message, due to insufficient bounds checking it can overflow the heap-based buffer containing the message while writing some extensions. Two extensions in particular could be used by a remote attacker to trigger the overflow: the session ticket extension and the server name indication (SNI) extension. This issue is fixed in PolarSSL 1.2.17 and up, mbed TLS 1.3.14 and up, mbed TLS 2.1.2 and up. External References: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01
Created mbedtls tracking bugs for this issue: Affects: fedora-all [bug 1270172] Affects: epel-all [bug 1270173]
Created polarssl tracking bugs for this issue: Affects: fedora-all [bug 1270171]
Upstream patches: https://github.com/ARMmbed/mbedtls/commit/c988f32adde62a169ba340fee0da15aecd40e76e https://github.com/ARMmbed/mbedtls/commit/b1e325d6b2bd9c504536fbbd45dce348f0a6c40c https://github.com/ARMmbed/mbedtls/commit/643a922c56b77235e88f106fb1b41c1a764cea5f https://github.com/ARMmbed/mbedtls/commit/f3e6e4badb35760c9a543ee69b7449cb0cd9784b
mbedtls-1.3.14-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
mbedtls-1.3.14-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
mbedtls-1.3.14-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
mbedtls-1.3.14-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
mbedtls-1.3.14-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
mbedtls-2.1.2-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Adding a second CVE per MITRE's assignment: Name: CVE-2015-8036 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8036 Assigned: 20151102 Reference: http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169625.html Heap-based buffer overflow in ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long session ticket name to the session ticket extension, which is not properly handled when creating a ClientHello message to resume a session. NOTE: this identifier was SPLIT from CVE-2015-5291 per ADT3 due to different affected version ranges.