{"id":"MGASA-2016-0054","summary":"Updated mbedtls/hiawatha/belle-sip/linphone/pdns packages fix security vulnerability","details":"Note: this package was called polarssl, but is now called mbed tls.  The\nPolarSSL software is now called mbed TLS.\n\nHeap-based buffer overflow in mbed TLS (formerly PolarSSL) 1.3.x before\n1.3.14 allows remote SSL servers to cause a denial of service\n(client crash) and possibly execute arbitrary code via a long hostname to\nthe server name indication (SNI) extension, which is not properly handled\nwhen creating a ClientHello message (CVE-2015-5291).\n\nHeap-based buffer overflow in mbed TLS (formerly PolarSSL) 1.3.x before\n1.3.14 allows remote SSL servers to cause a denial of service\n(client crash) and possibly execute arbitrary code via a long session\nticket name to the session ticket extension, which is not properly\nhandled when creating a ClientHello message to resume a session\n(CVE-2015-8036).\n\nThe mbedtls package has been updated to version 1.3.16, which contains\nseveral other bug fixes, security fixes, and security enhancements.\n\nThe hiawatha package, which uses the polarssl/mbedtls library, has been\nupdated to version 9.13 for improved compatibility.\n\nThe belle-sip library package has been updated to version 1.4.2 for\nimproved compatibility and the linphone package has been rebuilt against\nmbedtls.\n\nThe pdns package has also been rebuilt against mbedtls.\n","modified":"2026-04-16T06:25:00.926629513Z","published":"2016-02-09T13:05:25Z","upstream":["CVE-2015-5291","CVE-2015-8036"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2016-0054.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=17187"},{"type":"WEB","url":"https://tls.mbed.org/tech-updates/releases/mbedtls-1.3.10-released"},{"type":"WEB","url":"https://tls.mbed.org/tech-updates/releases/mbedtls-1.3.11-released"},{"type":"WEB","url":"https://tls.mbed.org/tech-updates/releases/polarssl-1.2.15-and-mbedtls-1.3.12-released"},{"type":"WEB","url":"https://tls.mbed.org/tech-updates/releases/mbedtls-2.1.1-and-1.3.13-and-polarssl-1.2.16-released"},{"type":"WEB","url":"https://tls.mbed.org/tech-updates/releases/mbedtls-2.1.2-and-1.3.14-and-polarssl-1.2.17-released"},{"type":"WEB","url":"https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.0-2.1.3-1.3.15-and-polarssl.1.2.18-released"},{"type":"WEB","url":"https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.1-2.1.4-1.3.16-and-polarssl.1.2.19-released"},{"type":"ADVISORY","url":"https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01"},{"type":"WEB","url":"https://lists.fedoraproject.org/pipermail/package-announce/2015-June/159916.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/pipermail/package-announce/2015-October/169765.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175762.html"}],"affected":[{"package":{"name":"mbedtls","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/mbedtls?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.3.16-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0054.json"}},{"package":{"name":"hiawatha","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/hiawatha?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.13-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0054.json"}},{"package":{"name":"belle-sip","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/belle-sip?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.2-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0054.json"}},{"package":{"name":"linphone","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/linphone?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.8.1-1.1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0054.json"}},{"package":{"name":"pdns","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/pdns?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.3.3-1.1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0054.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}