DescriptionHeap-based buffer overflow in PolarSSL 1.x before 1.2.17 and ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long hostname to the server name indication (SNI) extension, which is not properly handled when creating a ClientHello message. NOTE: this identifier has been SPLIT per ADT3 due to different affected version ranges. See CVE-2015-8036 for the session ticket issue that was introduced in 1.3.0.
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having important severity.
|National Vulnerability Database|
- openSUSE-SU-2015:2257-1, published Sun, 13 Dec 2015 13:12:45 +0100 (CET)
- openSUSE-SU-2015:2371-1, published Sun, 27 Dec 2015 01:12:33 +0100 (CET)
List of released packages
|Product(s)||Fixed package version(s)||References|
|openSUSE Leap 42.1|| ||Patchnames:
|openSUSE Leap 42.2|| ||Patchnames:
openSUSE Leap 42.2 GA libmbedtls9
|openSUSE Tumbleweed|| ||Patchnames:
openSUSE Tumbleweed GA libmbedcrypto0