Description
Note: this package was called polarssl, but is now called mbed tls. The
PolarSSL software is now called mbed TLS.
Heap-based buffer overflow in mbed TLS (formerly PolarSSL) 1.3.x before
1.3.14 allows remote SSL servers to cause a denial of service
(client crash) and possibly execute arbitrary code via a long hostname to
the server name indication (SNI) extension, which is not properly handled
when creating a ClientHello message (CVE-2015-5291).
Heap-based buffer overflow in mbed TLS (formerly PolarSSL) 1.3.x before
1.3.14 allows remote SSL servers to cause a denial of service
(client crash) and possibly execute arbitrary code via a long session
ticket name to the session ticket extension, which is not properly
handled when creating a ClientHello message to resume a session
(CVE-2015-8036).
The mbedtls package has been updated to version 1.3.16, which contains
several other bug fixes, security fixes, and security enhancements.
The hiawatha package, which uses the polarssl/mbedtls library, has been
updated to version 9.13 for improved compatibility.
The belle-sip library package has been updated to version 1.4.2 for
improved compatibility and the linphone package has been rebuilt against
mbedtls.
The pdns package has also been rebuilt against mbedtls.