Memory leak in PolarSSL before 1.2.12 and 1.3.x before 1.3.9 allows remote attackers to cause a denial of service (memory consumption) via a large number of crafted X.509 certificates. NOTE: this identifier has been SPLIT per ADT3 due to different affected versions. See CVE-2014-9744 for the ClientHello message issue.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Polarssl | Polarssl | * | 1.2.11 (including) |
| Polarssl | Polarssl | 1.3.0 (including) | 1.3.0 (including) |
| Polarssl | Polarssl | 1.3.1 (including) | 1.3.1 (including) |
| Polarssl | Polarssl | 1.3.2 (including) | 1.3.2 (including) |
| Polarssl | Polarssl | 1.3.3 (including) | 1.3.3 (including) |
| Polarssl | Polarssl | 1.3.4 (including) | 1.3.4 (including) |
| Polarssl | Polarssl | 1.3.5 (including) | 1.3.5 (including) |
| Polarssl | Polarssl | 1.3.6 (including) | 1.3.6 (including) |
| Polarssl | Polarssl | 1.3.7 (including) | 1.3.7 (including) |
| Polarssl | Polarssl | 1.3.8 (including) | 1.3.8 (including) |
| Mbedtls | Ubuntu | upstream | * |
| Polarssl | Ubuntu | lucid | * |
| Polarssl | Ubuntu | precise | * |
| Polarssl | Ubuntu | trusty | * |
| Polarssl | Ubuntu | upstream | * |
| Polarssl | Ubuntu | utopic | * |
| Polarssl | Ubuntu | vivid | * |
References
- http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html
- http://www.debian.org/security/2014/dsa-3116
- https://polarssl.org/tech-updates/releases/polarssl-1.2.12-released
- https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released
- http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html
- http://www.debian.org/security/2014/dsa-3116
- https://polarssl.org/tech-updates/releases/polarssl-1.2.12-released
- https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released