CVE-2014-8628

NameCVE-2014-8628
DescriptionMemory leak in PolarSSL before 1.2.12 and 1.3.x before 1.3.9 allows remote attackers to cause a denial of service (memory consumption) via a large number of crafted X.509 certificates. NOTE: this identifier has been SPLIT per ADT3 due to different affected versions. See CVE-2014-9744 for the ClientHello message issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-129-1, DSA-3116-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
polarssl (PTS)jessie, jessie (lts)1.3.9-2.1+deb8u4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
polarsslsourcesqueeze1.2.9-1~deb6u3DLA-129-1
polarsslsourcewheezy1.2.9-1~deb7u4DSA-3116-1
polarsslsource(unstable)1.3.9-1

Notes

Cf. https://bugzilla.redhat.com/show_bug.cgi?id=1159845#c5 and following.
Patch for 1.2.x: https://github.com/polarssl/polarssl/commit/6b440389136afbcb0d831f880176c830bd3e0c7c
Version 1.2.11 also brings other security-relevant fixes. Maybe update to new upstream version?

Search for package or bug name: Reporting problems