On Fri, 09 Oct 2015 22:02:21 +0200 Salvatore Bonaccorso <car...@debian.org> wrote: > Source: polarssl > Version: 1.2.8-2 > Severity: grave > Tags: security upstream fixed-upstream > > Hi, > > the following vulnerability was published for polarssl. > > CVE-2015-5291[0]: > Remote attack on clients using session tickets or SNI
I believe this can be fixed by applying these 4 commits (although I'm not sure if all of them are needed, and please double check): https://github.com/ARMmbed/mbedtls/commit/c988f32adde62a169ba340fee0da15aecd40e76e https://github.com/ARMmbed/mbedtls/commit/b1e325d6b2bd9c504536fbbd45dce348f0a6c40c https://github.com/ARMmbed/mbedtls/commit/643a922c56b77235e88f106fb1b41c1a764cea5f https://github.com/ARMmbed/mbedtls/commit/f3e6e4badb35760c9a543ee69b7449cb0cd9784b This may be easier than packaging the new upstream version since that requires an ABI break. James
signature.asc
Description: This is a digitally signed message part
