CVE-2014-8628

NameCVE-2014-8628
DescriptionMemory leak in PolarSSL before 1.2.12 and 1.3.x before 1.3.9 allows remote attackers to cause a denial of service (memory consumption) via a large number of crafted X.509 certificates. NOTE: this identifier has been SPLIT per ADT3 due to different affected versions. See CVE-2014-9744 for the ClientHello message issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-129-1, DSA-3116-1
NVD severityhigh (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
polarssl (PTS)wheezy, wheezy (security)1.2.9-1~deb7u6fixed
jessie1.3.9-2.1+deb8u2fixed
jessie (security)1.3.9-2.1+deb8u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
polarsslsource(unstable)1.3.9-1high
polarsslsourcesqueeze1.2.9-1~deb6u3highDLA-129-1
polarsslsourcewheezy1.2.9-1~deb7u4highDSA-3116-1

Notes

Cf. https://bugzilla.redhat.com/show_bug.cgi?id=1159845#c5 and following.
Patch for 1.2.x: https://github.com/polarssl/polarssl/commit/6b440389136afbcb0d831f880176c830bd3e0c7c
Version 1.2.11 also brings other security-relevant fixes. Maybe update to new upstream version?

Search for package or bug name: Reporting problems