{"id":"MGASA-2013-0290","summary":"Updated polarssl package fixes security vulnerabilities","details":"The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used\nin PolarSSL before 1.2.6, does not properly consider timing side-channel\nattacks on a MAC check requirement during the processing of malformed CBC\npadding, which allows remote attackers to conduct distinguishing attacks\nand plaintext-recovery attacks via statistical analysis of timing data for\ncrafted packets, aka the \"Lucky Thirteen\" issue (CVE-2013-0169).\n\nArray index error in the SSL module in PolarSSL before 1.2.6 might allow\nremote attackers to cause a denial of service via vectors involving a\ncrafted padding-length value during validation of CBC padding in a TLS\nsession (CVE-2013-1621).\n\nA third party can set up a SSL/TLS handshake with a server and send a\nmalformed Certificate handshake message that results in an infinite loop\nfor that connection. With a Man-in-the-Middle attack on a client, a third\nparty can trigger the same infinite loop on a client (CVE-2013-4623).\n","modified":"2026-01-30T06:54:35.227099Z","published":"2013-09-24T21:41:53Z","related":["CVE-2013-0169","CVE-2013-1621","CVE-2013-4623"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2013-0290.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=11275"},{"type":"REPORT","url":"https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-01"},{"type":"REPORT","url":"https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-03"},{"type":"REPORT","url":"https://polarssl.org/tech-updates/releases/polarssl-1.2.6-released"},{"type":"REPORT","url":"https://polarssl.org/tech-updates/releases/polarssl-1.2.7-released"},{"type":"REPORT","url":"https://polarssl.org/tech-updates/releases/polarssl-1.2.8-released"},{"type":"REPORT","url":"https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115922.html"}],"affected":[{"package":{"name":"polarssl","ecosystem":"Mageia:3","purl":"pkg:rpm/mageia/polarssl?arch=source&distro=mageia-3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.2.8-1.mga3"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2013-0290.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}