group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1714640] Re: CVE-2017-14032 - certificate authentication bypass

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1714640@xxxxxxxxxxxxxxxxxx>
Date: Fri, 08 Sep 2017 04:09:44 -0000
Reply-to: Bug 1714640 <1714640@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package mbedtls - 2.4.2-1ubuntu0.1

---------------
mbedtls (2.4.2-1ubuntu0.1) zesty-security; urgency=medium

  * SECURITY UPDATE: If optional authentication is configured, allows
    remote attackers to bypass peer authentication via an X.509 certificate
    chain with many intermediates. (LP: #1714640)
    - debian/patches/CVE-2017-14032.patch, backport two upstream patches to
      return and handle a new "fatal error" error code in case of long
      certificate chains.
    - CVE-2017-14032

 -- James Cowgill <jcowgill@xxxxxxxxxx>  Wed, 06 Sep 2017 21:03:02 +0100

** Changed in: mbedtls (Ubuntu Zesty)
       Status: Confirmed => Fix Released

** Changed in: mbedtls (Ubuntu Xenial)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1714640

Title:
  CVE-2017-14032 - certificate authentication bypass

Status in mbedtls package in Ubuntu:
  Fix Released
Status in mbedtls source package in Xenial:
  Fix Released
Status in mbedtls source package in Zesty:
  Fix Released
Status in mbedtls source package in Artful:
  Fix Released
Status in mbedtls package in Debian:
  Fix Released

Bug description:
  The following security bug was published for mbedtls:

  [Vulnerability]
  If a malicious peer supplies an X.509 certificate chain that has more
  than MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (which by default is
  8), it could bypass authentication of the certificates, when the
  authentication mode was set to 'optional' eg.
  MBEDTLS_SSL_VERIFY_OPTIONAL. The issue could be triggered remotely by
  both the client and server sides.

  If the authentication mode, which can be set by the function
  mbedtls_ssl_conf_authmode(), was set to 'required' eg.
  MBEDTLS_SSL_VERIFY_REQUIRED which is the default, authentication would
  occur normally as intended.

  [Impact]
  Depending on the platform, an attack exploiting this vulnerability could
  allow successful impersonation of the intended peer and permit
  man-in-the-middle attacks.

  https://tls.mbed.org/tech-updates/security-advisories/mbedtls-
  security-advisory-2017-02

  As far as I can tell, mbed TLS in xenial, zesty and artful are
  affected. No version of polarssl is affected.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mbedtls/+bug/1714640/+subscriptions