你好,游客 登录 注册 搜索
背景:
阅读新闻

mbed TLS 2.1.2/1.3.14 和 PolarSSL 1.2.17 发布下载

[日期:2015-10-12] 来源:oschina.net  作者:Linux [字体: ]

维护版本 mbed TLS 2.1.2/1.3.14, 和 PolarSSL 1.2.17 发布,这些版本主要修复一个远程可利用漏洞,修复了其他漏洞和一些 bug。

安全

Guido Vranken 发现并报告了 8 个潜在的漏洞,现已修复。最重要的漏洞描述请看 mbed TLS security advisory 2015-01,这个漏洞可以造成在一个客户端使用基于 ticket 的会话恢复连接到恶意服务器时可以远程执行代码。

其他修复:

  • Potential double-free if mbedtls_ssl_set_hs_psk() is called more than once in the same handshake and mbedtls_ssl_conf_psk() was used
  • Stack buffer overflow in PKCS12 decryption (used by mbedtls_pk_parse_key(file)()) when the password is > 129 bytes
  • Potential buffer overflow in mbedtls_mpi_read_string(). This is not exploitable remotely in the context of TLS, but it may be in other protocols. On 32 bit machines, this would require reading a string of close to or larger than 1GB of data to exploit; on 64 bit machines, it would require reading a string of close to or larger than 2^62 bytes
  • Potential random memory allocation in mbedtls_pem_read_buffer() on crafted PEM input data.  Triggerable remotely if you accept PEM data from an untrusted source
  • Potential heap buffer overflow in base64_encode() when the input buffer is 512MB or larger on 32-bit platforms
  • Potential double-free if mbedtls_conf_psk() is called repeatedly on the same mbedtls_ssl_config object and memory allocation fails
  • Potential heap buffer overflow in servers that perform client authentication against a crafted CA cert. Cannot be triggered remotely unless you allow third parties to pick trust CAs for client auth

2 个构建错误修复:one when building net.c with the musl C library, the other when building with MSVC in C++ mode.

下载:

更多内容请看发行说明

PolarSSL 的详细介绍请点这里
PolarSSL 的下载地址请点这里

本文永久更新链接地址http://www.linuxidc.com/Linux/2015-10/124044.htm

linux
相关资讯       PolarSSL 
本文评论   查看全部评论 (0)
表情: 表情 姓名: 字数

       

评论声明
  • 尊重网上道德,遵守中华人民共和国的各项有关法律法规
  • 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
  • 本站管理人员有权保留或删除其管辖留言中的任意内容
  • 本站有权在网站内转载或引用您的评论
  • 参与本评论即表明您已经阅读并接受上述条款