Bug 21645

Summary: mbedtls new security issue CVE-2017-14032
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, marja11, pkg-bugs, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK
Source RPM: mbedtls-2.4.2-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-08-31 15:19:44 CEST 
Upstream has issued an advisory on August 28:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02

A CVE has been assigned on August 30:
http://www.openwall.com/lists/oss-security/2017/08/30/8

Mageia 5 and Mageia 6 are also affected.
Comment 1 Marja Van Waes 2017-09-01 12:21:49 CEST 
Assigning to the registered maintainer, but CC'ing all packagers collectively, in case (or because :-( ) the maintainer is unavailable.

CC: (none) => marja11, pkg-bugs
Assignee: bugsquad => oe

Comment 2 David Walser 2017-09-03 16:07:24 CEST 
Fedora has issued an advisory for this on September 2:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BIDCXCILJ7BZS2GBSR75NMKRUNLQD3R5/
David Walser 2017-10-18 18:54:31 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 3 David Walser 2017-12-28 19:58:41 CET 
Advisory:
========================

Updated mbedtls packages fix security vulnerability:

ARM mbed TLS before 1.3.21, 2.1.x before 2.1.9 and 2.x before 2.6.0, if
optional authentication is configured, allows remote attackers to bypass peer
authentication via an X.509 certificate chain with many intermediates
(CVE-2017-14032).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14032
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02
https://tls.mbed.org/tech-updates/releases/mbedtls-2.6.0-2.1.9-and-1.3.21-released
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BIDCXCILJ7BZS2GBSR75NMKRUNLQD3R5/
========================

Updated packages in core/updates_testing:
========================
mbedtls-1.3.21-1.mga5
libmbedtls9-1.3.21-1.mga5
libmbedtls-devel-1.3.21-1.mga5
mbedtls-2.6.0-1.mga6
libmbedtls10-2.6.0-1.mga6
libmbedtls-devel-2.6.0-1.mga6

from SRPMS:
========================
mbedtls-1.3.21-1.mga5.src.rpm
mbedtls-2.6.0-1.mga6.src.rpm

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Assignee: oe => qa-bugs
Version: Cauldron => 6

Dave Hodgins 2018-01-01 07:22:01 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Herman Viaene 2018-01-01 13:49:14 CET 
MGA5-32 on Dell Latitude D600 Xfce
No installation issues
Ref to bug 20561 Comment 3
$ mbedtls-selftest 

  MD5 test #1: passed
  MD5 test #2: passed
  MD5 test #3: passed
  MD5 test #4: passed
  MD5 test #5: passed
and a lot more, at the end:
  [ All tests passed ]
So seems OK

Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
CC: (none) => herman.viaene

Comment 5 Dave Hodgins 2018-01-03 14:14:52 CET 
Tests passed on Mageia 6 x86_64 too.

Validating the update.

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2018-01-03 15:23:31 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0038.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED