CVE-2017-14032 - certificate authentication bypass
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mbedtls (Debian) |
Fix Released
|
Unknown
|
|||
mbedtls (Ubuntu) |
Fix Released
|
Medium
|
James Cowgill | ||
Xenial |
Fix Released
|
Medium
|
James Cowgill | ||
Zesty |
Fix Released
|
Medium
|
James Cowgill | ||
Artful |
Fix Released
|
Medium
|
James Cowgill |
Bug Description
The following security bug was published for mbedtls:
[Vulnerability]
If a malicious peer supplies an X.509 certificate chain that has more
than MBEDTLS_
8), it could bypass authentication of the certificates, when the
authentication mode was set to 'optional' eg.
MBEDTLS_
both the client and server sides.
If the authentication mode, which can be set by the function
mbedtls_
MBEDTLS_
occur normally as intended.
[Impact]
Depending on the platform, an attack exploiting this vulnerability could
allow successful impersonation of the intended peer and permit
man-in-the-middle attacks.
https:/
As far as I can tell, mbed TLS in xenial, zesty and artful are affected. No version of polarssl is affected.
CVE References
information type: | Private Security → Public Security |
Changed in mbedtls (Debian): | |
status: | Unknown → Fix Released |
The attachment "mbedtls- 2.2.1-2ubuntu0. 2.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]