Bug 20162

Summary: mbedtls new security issues fixed upstream in 1.3.18
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, lewyssmith, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/713061/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK advisory
Source RPM: mbedtls-1.3.17-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-01-22 19:23:28 CET 
Upstream has issued an advisory on October 15:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.4.0-2.1.6-and-1.3.18-released

Updated package uploaded for Mageia 5.

You can use hiawatha, linphone, or pdns to test this.

Advisory:
========================

Updated mbedtls packages fix security vulnerabilities:

The mbedtls package has been updated to version 1.3.18, which removes a
non-default configuration option that could lead to session key recovery in
very long TLS sessions and fixes a potential stack corruption that cannot be
triggered remotely.  It also fixes several bugs.

See the upstream release announcement for details.

References:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.4.0-2.1.6-and-1.3.18-released
========================

Updated packages in core/updates_testing:
========================
mbedtls-1.3.18-1.mga5
libmbedtls9-1.3.18-1.mga5
libmbedtls-devel-1.3.18-1.mga5

from mbedtls-1.3.18-1.mga5.src.rpm
Comment 1 David Walser 2017-01-22 19:24:13 CET 
The previous update was simply tested by running the mbedtls-selftest command.

Whiteboard: (none) => has_procedure

Comment 2 Len Lawrence 2017-01-27 10:14:01 CET 
Installed these on x86_64 real hardware and ran the selftest command.
All tests passed.

Since there is no bugtrail to follow, functionality tests are all we have.

Updated to version 1.3.18 and ran the selftest again.
Again, all tests passed.

About to look at the other suggestions for testing.

CC: (none) => tarazed25

Comment 3 Herman Viaene 2017-01-27 12:08:52 CET 
MGA5-32 on AsusA6000VM Xfce
No installation issues
Ran selftest, all tests passed, OK as in bug 18874.

CC: (none) => herman.viaene
Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 4 Len Lawrence 2017-01-27 17:30:16 CET 
Moved to another 64bit machine and ran the update.
Installed hiawatha, stopped the lighttpd service and started hiawatha OK.
$ sudo systemctl start hiawatha
[lcl@vega python]$ systemctl status hiawatha
â hiawatha.service - Hiawatha Web Server
   Loaded: loaded (/usr/lib/systemd/system/hiawatha.service; enabled)
   Active: active (running) since Fri 2017-01-27 16:13:09 GMT; 17s ago
  Process: 21101 ExecStartPre=/usr/sbin/hiawatha -k (code=exited, status=0/SUCCESS)
  Process: 21097 ExecStartPre=/usr/sbin/wigwam (code=exited, status=0/SUCCESS)
 Main PID: 21104 (hiawatha)
   CGroup: /system.slice/hiawatha.service
           ââ21104 /usr/sbin/hiawatha -d

Extract from output of
$ urpmq --requires hiawatha
....
hiawatha: libmbedtls.so.9()(64bit)

Closed firefox and restarted it without a problem and was able to reach sites not likely to be in the cache so this looks fine for x86_64.
Len Lawrence 2017-01-27 17:30:40 CET

Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK

Comment 5 Lewis Smith 2017-01-27 22:02:33 CET 
Thanks you Len & Herman for speedy testing. Validating & Advisory-ing.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
CC: (none) => lewyssmith, sysadmin-bugs

Comment 6 Mageia Robot 2017-01-29 21:53:54 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0030.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2017-01-31 04:51:32 CET

URL: (none) => https://lwn.net/Vulnerabilities/713061/