From owner-svn-ports-all@freebsd.org Tue Oct 6 02:24:47 2015 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7D1F49B9BD4; Tue, 6 Oct 2015 02:24:47 +0000 (UTC) (envelope-from junovitch@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6D2BD8EB; Tue, 6 Oct 2015 02:24:47 +0000 (UTC) (envelope-from junovitch@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t962Ol68034192; Tue, 6 Oct 2015 02:24:47 GMT (envelope-from junovitch@FreeBSD.org) Received: (from junovitch@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id t962OlxZ034191; Tue, 6 Oct 2015 02:24:47 GMT (envelope-from junovitch@FreeBSD.org) Message-Id: <201510060224.t962OlxZ034191@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: junovitch set sender to junovitch@FreeBSD.org using -f From: Jason Unovitch Date: Tue, 6 Oct 2015 02:24:47 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r398677 - head/security/vuxml X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Oct 2015 02:24:47 -0000 Author: junovitch Date: Tue Oct 6 02:24:46 2015 New Revision: 398677 URL: https://svnweb.freebsd.org/changeset/ports/398677 Log: Document recent mbed TLS/PolarSSL security releases PR: 203544 Security: 5d280761-6bcf-11e5-9909-002590263bf5 Security: 953aaa57-6bce-11e5-9909-002590263bf5 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Oct 6 00:52:56 2015 (r398676) +++ head/security/vuxml/vuln.xml Tue Oct 6 02:24:46 2015 (r398677) @@ -58,6 +58,80 @@ Notes: --> + + mbedTLS/PolarSSL -- multiple vulnerabilities + + + polarssl + 1.2.01.2.16 + + + polarssl13 + 1.3.01.3.13 + + + mbedtls + 2.1.1 + + + + +

ARM Limited reports:

+
+

Florian Weimar from Red Hat published on Lenstra's RSA-CRT attach + for PKCS#1 v1.5 signatures. These releases include countermeasures + against that attack.

+

Fabian Foerg of Gotham Digital Science found a possible client-side + NULL pointer dereference, using the AFL Fuzzer. This dereference can + only occur when misusing the API, although a fix has still been + implemented.

+
+ + + + https://tls.mbed.org/tech-updates/releases/mbedtls-2.1.1-and-1.3.13-and-polarssl-1.2.16-released + + + 2015-09-18 + 2015-10-06 + + + + + mbedTLS/PolarSSL -- multiple vulnerabilities + + + polarssl + 1.2.01.2.15 + + + polarssl13 + 1.3.01.3.12 + + + + +

ARM Limited reports:

+
+

In order to strengthen the minimum requirements for connections and + to protect against the Logjam attack, the minimum size of + Diffie-Hellman parameters accepted by the client has been increased + to 1024 bits.

+

In addition the default size for the Diffie-Hellman parameters on + the server are increased to 2048 bits. This can be changed with + ssl_set_dh_params() in case this is necessary.

+
+ + + + https://tls.mbed.org/tech-updates/releases/polarssl-1.2.15-and-mbedtls-1.3.12-released + + + 2015-08-11 + 2015-10-06 + + + gdk-pixbuf2 -- head overflow and DoS