Bug 18874

Summary: mbedtls new security issues fixed upstream in 1.3.17
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/693476/
Whiteboard: has_procedure advisory mga5-64-ok
Source RPM: mbedtls-1.3.16-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-07-05 21:08:45 CEST 
Upstream has issued an advisory on June 28:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.3.0-2.1.5-and-1.3.17-released

Updates checked into Mageia 5 and Cauldron SVN.  Freeze push requested.
David Walser 2016-07-05 21:08:51 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-07-06 20:22:15 CEST 
Updated packages uploaded for Mageia 5 and Cauldron.

You can use hiawatha, linphone, or pdns to test this.

Advisory:
========================

Updated mbedtls packages fix security vulnerabilities:

The mbedtls package has been updated to version 1.3.17, which fixes a few minor
security issues in mbedtls_rsa_rsaes_pkcs1_v15_encrypt() and
mbedtls_rsa_rsaes_oaep_encrypt() and fixes a handful of other bugs as well.

See the upstream release announcement for details.

References:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.3.0-2.1.5-and-1.3.17-released
========================

Updated packages in core/updates_testing:
========================
mbedtls-1.3.17-1.mga5
libmbedtls9-1.3.17-1.mga5
libmbedtls-devel-1.3.17-1.mga5

from mbedtls-1.3.17-1.mga5.src.rpm

Version: Cauldron => 5
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 2 claire robinson 2016-07-07 22:10:36 CEST 
Testing complete mga5 64

# mbedtls-selftest

  MD5 test #1: passed
  MD5 test #2: passed
  MD5 test #3: passed
  MD5 test #4: passed

...etc

  TIMING test #2 (set_alarm / get_timer): passed
  TIMING test #3 (hardclock / get_timer): passed
  TIMING test #4 (net_usleep/ get_timer): passed

  [ All tests passed ]

Whiteboard: (none) => has_procedure mga5-64-ok

Comment 3 claire robinson 2016-07-08 16:52:38 CEST 
Validating

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

claire robinson 2016-07-08 17:38:46 CEST

Whiteboard: has_procedure mga5-64-ok => has_procedure advisory mga5-64-ok

Comment 4 Mageia Robot 2016-07-08 21:51:54 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0249.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED