CVE-2017-14032

NameCVE-2017-14032
DescriptionARM mbed TLS before 1.3.21 and 2.x before 2.1.9, if optional authentication is configured, allows remote attackers to bypass peer authentication via an X.509 certificate chain with many intermediates. NOTE: although mbed TLS was formerly known as PolarSSL, the releases shipped with the PolarSSL name are not affected.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-3967-1
NVD severitymedium (attack range: remote)
Debian Bugs873557

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mbedtls (PTS)stretch2.4.2-1vulnerable
stretch (security)2.4.2-1+deb9u1fixed
buster, sid2.6.0-1fixed
polarssl (PTS)wheezy, wheezy (security)1.2.9-1~deb7u6fixed
jessie1.3.9-2.1+deb8u2fixed
jessie (security)1.3.9-2.1+deb8u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mbedtlssource(unstable)2.6.0-1medium873557
mbedtlssourcestretch2.4.2-1+deb9u1mediumDSA-3967-1
polarsslsource(unstable)(unfixed)medium
polarsslsourcejessie(not affected)
polarsslsourcewheezy(not affected)

Notes

[jessie] - polarssl <not-affected> (Vulnerable code not present)
[wheezy] - polarssl <not-affected> (Vulnerable code not present)
Affected versions: all from version 1.3.10 up and including 2.1 and later releases
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02
https://github.com/ARMmbed/mbedtls/commit/31458a18788b0cf0b722acda9bb2f2fe13a3fb32
https://github.com/ARMmbed/mbedtls/commit/d15795acd5074e0b44e71f7ede8bdfe1b48591fc

Search for package or bug name: Reporting problems