Security update for mbedtls
This update to mbedtls 1.3.19 fixes security issues and bugs.
The following vulnerability was fixed:
CVE-2017-2784: A remote user could have used a specially crafted certificate to cause
mbedtls to free a buffer allocated on the stack when verifying the validity
of public key with a secp224k1 curve, which could have allowed remote
code execution on some platforms (boo#1029017)
The following non-security changes are included:
- Add checks to prevent signature forgeries for very large messages while using RSA through
the PK module in 64-bit systems.
- Fixed potential livelock during the parsing of a CRL in PEM format
-
Submitted by
Martin Pluskal (pluskalm)
Fixed bugs
bnc#1029017
VUL-0: CVE-2017-2784: mbedtls Freeing of memory allocated on stack when validating a public key with a secp224k1 curve
