ALT-PU-2025-5335-4

Package update mbedtls in branch c10f2

Version3.6.3-alt1

Published2026-02-04

Max severityMEDIUM

Severity:

Closed issues (4)

MEDIUM5.4

Уязвимость реализации протокола TLS программного обеспечения Mbed TLS, позволяющая нарушителю проводить атаки типа "человек по середине"

Published: 2025-06-18Modified: 2026-03-02

CVSS 3.xMEDIUM 5.4

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:N

References

CVE-2025-27810

MEDIUM5.4

Уязвимость функции mbedtls_ssl_set_hostname программного обеспечения Mbed TLS, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2025-06-18Modified: 2026-03-02

CVSS 3.xMEDIUM 5.4

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:N

References

CVE-2025-27809

MEDIUM5.4

Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.

Published: 2025-03-25Modified: 2025-07-17

CVSS 3.xMEDIUM 5.4

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

References

MEDIUM4.8

Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to authentication bypasses such as replays.

Published: 2025-03-25Modified: 2025-10-30

CVSS 3.xMEDIUM 4.8

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References