[SECURITY] [DLA 331-1] polarssl security update

[Thorsten Alteholz <debian@alteholz.de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : polarssl
Version        : 1.2.9-1~deb6u5
CVE ID         : CVE-2015-5291

A flaw was found in PolarSSl and mbed TLS:

When the client creates its ClientHello message, due to insufficient 
bounds checking it can overflow the heap-based buffer containing the 
message while writing some extensions. Two extensions in particular could 
be used by a remote attacker to trigger the overflow: the session ticket 
extension and the server name indication (SNI) extension.

Although most of the vulnerable code is not present in the Squeeze 
version, this upload contains at least a length check for incoming data.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJWKSZPXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHiHcQAIicP5CPmmE++EXGv0F0UoJ/
kXEwKY6VW7DiwCXRDDe+x/TPBH7qZhlcgX7MICqyutjE4zQ8zliLGzsdTBjULNia
Cour2eUUMyDgb+Smes1Vk7n9fxlVRhDpQlrdg80vbkc9X7uzybmsvBv33sitVfcX
DzBObaQYn/wjqj28wIIlRTG3DwMq4ejnP9/OvFCaX7BCYmmvNHMJ5KR79jCGOSKM
mI3ZeaZTXhyG1Doip/D5unFgtdob6n6ZOjPqKT1RiSiEo1vDKxUfwtNozoFVPydq
PHSO2fIGah4tGqZ8HNQlq69WdoIuT0x/aKC+/XkoG8pBzbT9HRPmQxSF+mI4MicH
iaLvGsJ5R6iy0bQ6DpGdz3m+JGU5zPLzdt2oqWxIe9v/OJO/Xq9Dr/pwCBXqwNUi
nic5OlNpMpCBdrBx0SFRMdP75eIMkWebMcDmeTxeo+hS0sNqkuakxEkUrofxG+5X
YC6u3IQ6gjbfC0YKAexLWUXTSmpu7n8H2MB6HO5Fxpn8pfEsUeIYCEu7OYtDAK5m
heDqwvdXXFd308bUq0p0i3SLRJyyfBcrTbBf2LieJB1o43UMJcf9ncRQrPP82JyH
jBMZPq/+P34TZJan0upTIhxjGWdwusnxzGvseGApSMoHpFDP7k7SYV5zwt34hOFJ
xCueS/Ec/oteeXYAjzt5
=wgpM
-----END PGP SIGNATURE-----