Explore top 10 tips to secure your open-source projects now. Read More
×
Arch Linux Security Advisory ASA-201601-29 ========================================= Severity: Medium Date : 2016-01-25 CVE-ID : CVE-2015-7575 Package : mbedtls Type : man-in-the-middle Remote : Yes Link : https://wiki.archlinux.org/title/CVE Summary ====== The package mbedtls before version 2.2.1-1 is vulnerable to man-in-the-middle. Resolution ========= Upgrade to 2.2.1-1. # pacman -Syu "mbedtls>=2.2.1-1" The problem has been fixed upstream in version 2.2.1. Workaround ========= None. Description ========== mbedTLS before 2.2.1 is vulnerable to the SLOTH attack, breaking MD5 signatures potentially used during TLS 1.2 handshakes to impersonate a TLS server. Impact ===== A remote attacker might be able to impersonate a TLS server, acting as a man-in-the-middle. References ========= https://bugs.archlinux.org/task/47783 https://access.redhat.com/security/cve/CVE-2015-7575 https://www.trustedfirmware.org/projects/mbed-tls/