Описание
Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| mbedtls | fixed | 3.6.3-1 | package | |
| mbedtls | no-dsa | bookworm | package | |
| mbedtls | ignored | bullseye | package |
Примечания
https://github.com/Mbed-TLS/mbedtls/issues/466
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1/
https://github.com/Mbed-TLS/mbedtls/commit/9a9f0c77cfd314b761aaeef7a521565e00019b4a (mbedtls-3.6.3)
https://github.com/Mbed-TLS/mbedtls/commit/c43a9d5576c3f9b9da21454711c104b1f9d73efa (mbedtls-2.28.10)
Связанные уязвимости
Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.
Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.
Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.
Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.
Уязвимость функции mbedtls_ssl_set_hostname программного обеспечения Mbed TLS, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации