Описание
Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to authentication bypasses such as replays.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| mbedtls | fixed | 3.6.3-1 | package | |
| mbedtls | no-dsa | bookworm | package | |
| mbedtls | ignored | bullseye | package |
Примечания
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-2/
https://github.com/Mbed-TLS/mbedtls/commit/26f0044ad020dc3c8db1b4001464acaef7dfbd52 (mbedtls-3.6.3)
https://github.com/Mbed-TLS/mbedtls/commit/6070470dfd5c680a59a55bc55299e1a65a6c7049 (mbedtls-2.28.10)
EPSS
Связанные уязвимости
Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to authentication bypasses such as replays.
Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to authentication bypasses such as replays.
Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to authentication bypasses such as replays.
Уязвимость реализации протокола TLS программного обеспечения Mbed TLS, позволяющая нарушителю проводить атаки типа "человек по середине"
EPSS