openSUSE Security Update : mbedtls (openSUSE-2017-372)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

This update to mbedtls 1.3.19 fixes security issues and bugs.

The following vulnerability was fixed :

CVE-2017-2784: A remote user could have used a specially crafted
certificate to cause mbedtls to free a buffer allocated on the stack
when verifying the validity of public key with a secp224k1 curve,
which could have allowed remote code execution on some platforms
(boo#1029017)

The following non-security changes are included :

- Add checks to prevent signature forgeries for very large
messages while using RSA through the PK module in 64-bit
systems.

- Fixed potential livelock during the parsing of a CRL in
PEM format

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=1029017

Solution :

Update the affected mbedtls packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

Family: SuSE Local Security Checks

Nessus Plugin ID: 97905 ()

Bugtraq ID:

CVE ID: CVE-2017-2784

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now