Bug#862167: jessie-pu: package polarssl/1.3.9-2.1+deb8u2

To: James Cowgill <jcowgill@debian.org>, 862167@bugs.debian.org
Subject: Bug#862167: jessie-pu: package polarssl/1.3.9-2.1+deb8u2
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Tue, 09 May 2017 19:35:26 +0100
Message-id: <[🔎] 1494354926.26551.34.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 862167@bugs.debian.org
In-reply-to: <[🔎] 048bce9a-2ca6-66d3-bb2a-f1dff89cc058@debian.org>
References: <[🔎] 048bce9a-2ca6-66d3-bb2a-f1dff89cc058@debian.org>

Control: tags -1 + confirmed

On Tue, 2017-05-09 at 11:42 +0100, James Cowgill wrote:
> This polarssl update fixes CVE-2017-2784 (Freeing of memory allocated on
> stack when validating a public key with a secp224k1 curve) which is a
> no-DSA security issue.
> 
> I've tested the CVE with the testcase which was added to mbedtls (and it
> passes only after the patch is applied). Unfortunately the test system
> is broken in polarssl (doesn't handle crashes) so adding the test to
> jessie won't have any affect on the builds unless the test system is
> fixed as well.

Please go ahead.

Regards,

Adam

Reply to:

Follow-Ups:
- Bug#862167: jessie-pu: package polarssl/1.3.9-2.1+deb8u2
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Bug#862167: jessie-pu: package polarssl/1.3.9-2.1+deb8u2
  - From: James Cowgill <jcowgill@debian.org>

Prev by Date: Bug#862190: RM: golang-gopkg-asn1-ber.v1/1.1-1
Next by Date: Processed: Re: Bug#862167: jessie-pu: package polarssl/1.3.9-2.1+deb8u2
Previous by thread: Bug#862167: jessie-pu: package polarssl/1.3.9-2.1+deb8u2
Next by thread: Bug#862167: jessie-pu: package polarssl/1.3.9-2.1+deb8u2
Index(es):
- Date
- Thread