Bug 903672 (CVE-2014-8627)

Summary: VUL-0: CVE-2014-8627: polarssl: polarssl 1.3.8 used in a server picks weaker signature algorithm than available
Product: [Novell Products] SUSE Security Incidents Reporter: Mariusz Fik <fisiu>
Component: IncidentsAssignee: Mariusz Fik <fisiu>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: fisiu, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Mariusz Fik 2014-11-03 12:47:31 UTC
"On the security front this release fixes a mistake in the negotiation introduced in PolarSSL 1.3.8. The mistake resulted in servers negotiating a weaker signature algorithm than available. In addition two remotely-triggerable memory leaks were found by the Codenomicon Defensics tool and fixed in this release.

No new features are introduced in this release. A number of changes in behaviour and bug fixes are included."

https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released
Comment 1 Marcus Meissner 2014-11-04 07:01:07 UTC
(is in 13.2, so needs an update)

and also needs CVEs.
Comment 2 Marcus Meissner 2014-11-04 07:03:26 UTC
assigned Mariusz as maintainer of polarssl in OBS and reassign bug to him.
Comment 3 Marcus Meissner 2014-11-04 07:07:25 UTC
request cve(s) on oss-sec
Comment 4 Swamp Workflow Management 2014-11-04 23:00:34 UTC
bugbot adjusting priority
Comment 5 Mariusz Fik 2014-11-05 22:28:47 UTC
I searched CVE db, but there is no entries about this issue.
Updated package is already in devel project and Factory.

Can I just create maintenance incident?
Comment 6 Marcus Meissner 2014-11-06 07:25:29 UTC
so far no reply on my cve request.

please open a MR without CVEs.
Comment 7 Mariusz Fik 2014-11-06 11:50:07 UTC
Done. rq#260041.
Comment 8 Bernhard Wiedemann 2014-11-06 12:00:15 UTC
This is an autogenerated message for OBS integration:
This bug (903672) was mentioned in
https://build.opensuse.org/request/show/260041 13.2 / polarssl
Comment 9 Marcus Meissner 2014-11-06 12:28:13 UTC
> https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released

> this release fixes a mistake in the negotiation introduced in PolarSSL
> 1.3.8. The mistake resulted in servers negotiating a weaker signature
> algorithm than available.

Use CVE-2014-8627.


> two remotely-triggerable memory leaks were found by the Codenomicon
> Defensics tool and fixed in this release.

Use CVE-2014-8628.
Comment 10 Marcus Meissner 2014-11-10 14:17:05 UTC
(i declined your maintenancerequest, can you resubmit with CVEs added?)
Comment 11 Mariusz Fik 2014-11-10 19:12:58 UTC
Sorry for delay. I filled up .changes with CVE entries. rq#260748
Comment 12 Bernhard Wiedemann 2014-11-10 20:00:40 UTC
This is an autogenerated message for OBS integration:
This bug (903672) was mentioned in
https://build.opensuse.org/request/show/260748 13.2 / polarssl
Comment 13 Swamp Workflow Management 2014-11-19 16:05:38 UTC
openSUSE-SU-2014:1457-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 903671,903672
CVE References: CVE-2014-8627,CVE-2014-8628
Sources used:
openSUSE 13.2 (src):    polarssl-1.3.9-4.1
Comment 14 Marcus Meissner 2014-11-20 07:51:55 UTC
was released