mbedtls vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
* Ubuntu 16.04 LTS
Summary
Several security issues were fixed in mbedtls.
Software Description
* mbedtls - lightweight crypto and SSL/TLS library - crypto
library
Details
It was discovered that mbedtls has a bounds-check bypass through
an integer overflow that can be used by an attacked to execute
arbitrary code or cause a denial of service. (CVE-2017-18187)
It was discovered that mbedtls has a vulnerability where an
attacker could execute arbitrary code or cause a denial of service
(buffer overflow) via a crafted certificate chain that is
mishandled during RSASSA-PSS signature verification within a TLS
or DTLS session. (CVE-2018-0487)
It was discovered that mbedtls has a vulnerability where an
attacker could execute arbitrary code or cause a denial of service
(heap corruption) via a crafted application packet within a TLS or
DTLS session. (CVE-2018-0488)
It was discovered that mbedtls has a vulnerability that allows
remote attackers to achieve partial plaintext recovery (for a CBC
based ciphersuite) via a timing-based side-channel attack.
(CVE-2018-0497)
It was discovered that mbedtls has a vulnerability that allows
local users to achieve partial plaintext recovery (for a CBC based
ciphersuite) via a cache-based side-channel attack.
(CVE-2018-0498)
Update instructions
The problem can be corrected by updating your system to the
following package versions:
Ubuntu 16.04 LTS
libmbedcrypto0 - 2.2.1-2ubuntu0.3
libmbedtls10 - 2.2.1-2ubuntu0.3
libmbedx509-0 - 2.2.1-2ubuntu0.3
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary
changes.
References
* CVE-2017-18187
* CVE-2018-0487
* CVE-2018-0488
* CVE-2018-0497
* CVE-2018-0498
--- Mystic BBS v1.12 A43 (Linux/64)
* Origin: BZ&BZ BBS (21:4/110)