ArchLinux: 201601-29: mbedtls: man-in-the-middle
Summary
mbedTLS before 2.2.1 is vulnerable to the SLOTH attack, breaking MD5 signatures potentially used during TLS 1.2 handshakes to impersonate a TLS server.
Resolution
Upgrade to 2.2.1-1.
# pacman -Syu "mbedtls>=2.2.1-1"
The problem has been fixed upstream in version 2.2.1.
References
https://bugs.archlinux.org/task/47783 https://access.redhat.com/security/cve/CVE-2015-7575 https://www.mitls.org/pages/attacks/SLOTH https://www.trustedfirmware.org/projects/mbed-tls/
Workaround
None.