Candidate: CVE-2015-5291
PublicDate: 2015-11-02 19:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5291
 https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01
Description:
 Heap-based buffer overflow in PolarSSL 1.x before 1.2.17 and ARM mbed TLS
 (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote
 SSL servers to cause a denial of service (client crash) and possibly
 execute arbitrary code via a long hostname to the server name indication
 (SNI) extension, which is not properly handled when creating a ClientHello
 message.  NOTE: this identifier has been SPLIT per ADT3 due to different
 affected version ranges. See CVE-2015-8036 for the session ticket issue
 that was introduced in 1.3.0.
Ubuntu-Description:
Notes:
 sbeattie> polarssl now known as mbed
Bugs:
Priority: medium
Discovered-by: Guido Vranken
Assigned-to:
CVSS: 

Patches_polarssl:
upstream_polarssl: released (1.2.17, 1.3.14)
precise_polarssl: ignored (reached end-of-life)
precise/esm_polarssl: DNE (precise was needed)
trusty_polarssl: ignored (reached end-of-life)
trusty/esm_polarssl: DNE (trusty was needed)
vivid_polarssl: ignored (reached end-of-life)
vivid/stable-phone-overlay_polarssl: DNE
vivid/ubuntu-core_polarssl: DNE
wily_polarssl: released (1.3.9-2.1+deb8u1)
xenial_polarssl: DNE
yakkety_polarssl: DNE
zesty_polarssl: DNE
artful_polarssl: DNE
bionic_polarssl: DNE
cosmic_polarssl: DNE
disco_polarssl: DNE
devel_polarssl: DNE

Patches_mbedtls:
upstream_mbedtls: released (2.1.2-1)
precise_mbedtls: DNE
precise/esm_mbedtls: DNE
trusty_mbedtls: DNE
trusty/esm_mbedtls: DNE
vivid/stable-phone-overlay_mbedtls: DNE
vivid/ubuntu-core_mbedtls: DNE
wily_mbedtls: DNE
xenial_mbedtls: not-affected (2.2.1-2)
yakkety_mbedtls: not-affected (2.2.1-2)
zesty_mbedtls: not-affected (2.2.1-2)
artful_mbedtls: not-affected (2.2.1-2)
bionic_mbedtls: not-affected (2.2.1-2)
cosmic_mbedtls: not-affected (2.2.1-2)
disco_mbedtls: not-affected (2.2.1-2)
devel_mbedtls: not-affected (2.2.1-2)