Bug#862167: jessie-pu: package polarssl/1.3.9-2.1+deb8u2
Control: tags -1 + pending
On Tue, 2017-05-09 at 19:35 +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Tue, 2017-05-09 at 11:42 +0100, James Cowgill wrote:
> > This polarssl update fixes CVE-2017-2784 (Freeing of memory allocated on
> > stack when validating a public key with a secp224k1 curve) which is a
> > no-DSA security issue.
> >
> > I've tested the CVE with the testcase which was added to mbedtls (and it
> > passes only after the patch is applied). Unfortunately the test system
> > is broken in polarssl (doesn't handle crashes) so adding the test to
> > jessie won't have any affect on the builds unless the test system is
> > fixed as well.
>
> Please go ahead.
Uploaded and flagged for acceptance.
Regards,
Adam
Reply to: