group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1672686] Re: CVE-2017-2784 - Freeing of memory allocated on stack when validating a public key with a secp224k1 curve

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>
Date: Thu, 06 Apr 2017 11:12:24 -0000
Reply-to: Bug 1672686 <1672686@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Since there is nothing left to sponsor, I am unsubscribing ubuntu-
security-sponsors. Please re-subscribe the group when attaching another
debdiff. Thanks!

** Also affects: polarssl (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: mbedtls (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: polarssl (Ubuntu Yakkety)
   Importance: Undecided
       Status: New

** Also affects: mbedtls (Ubuntu Yakkety)
   Importance: Undecided
       Status: New

** Changed in: mbedtls (Ubuntu Xenial)
       Status: New => Fix Released

** Changed in: mbedtls (Ubuntu Yakkety)
       Status: New => Fix Committed

** Changed in: mbedtls (Ubuntu Yakkety)
       Status: Fix Committed => Fix Released

** Changed in: polarssl (Ubuntu Xenial)
       Status: New => Confirmed

** Changed in: polarssl (Ubuntu Yakkety)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1672686

Title:
  CVE-2017-2784 - Freeing of memory allocated on stack when validating a
  public key with a secp224k1 curve

Status in mbedtls package in Ubuntu:
  Fix Released
Status in polarssl package in Ubuntu:
  Incomplete
Status in mbedtls source package in Xenial:
  Fix Released
Status in polarssl source package in Xenial:
  Confirmed
Status in mbedtls source package in Yakkety:
  Fix Released
Status in polarssl source package in Yakkety:
  Confirmed
Status in mbedtls package in Debian:
  Fix Released
Status in polarssl package in Debian:
  Confirmed

Bug description:
  The following security bug was published for mbedtls:

  Freeing of memory allocated on stack when validating a public key with
  a secp224k1 curve

  [Vulnerability]
  If a malicious peer supplies a certificate with a specially crafted secp224k1 public key, then an attacker can cause the server or client to attempt to free block of memory held on stack.

  [Impact]
  Depending on the platform, this could result in a Denial of Service (client crash) or potentially could be exploited to allow remote code execution with the same privileges as the host application.

  [Resolution]
  Affected users should upgrade to mbed TLS 1.3.19, mbed TLS 2.1.7 or mbed TLS 2.4.2.

  https://tls.mbed.org/tech-updates/security-advisories/mbedtls-
  security-advisory-2017-01

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mbedtls/+bug/1672686/+subscriptions