| Summary: | mbedtls new security issues fixed upstream in 2.7.2 (CVE-2018-9988 and CVE-2018-9989) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, lewyssmith, marja11, oe, smelror, sysadmin-bugs, tarazed25, tmb |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK | ||
| Source RPM: | mbedtls-2.7.0-1.mga6.src.rpm | CVE: | |
| Status comment: | Fixed upstream in 2.7.2 | ||
|
Description
David Walser
2018-04-15 22:08:26 CEST
David Walser
2018-04-15 22:08:34 CEST
Whiteboard:
(none) =>
MGA6TOO Assigning to all packagers collectively, because the registered maintainer for this package is currently unavailable. CC:
(none) =>
marja11, oe, smelror openSUSE has issued an advisory today (April 21): https://lists.opensuse.org/opensuse-updates/2018-04/msg00051.html Two of the security fixes have CVEs. Summary:
mbedtls new security issues fixed upstream in 2.7.2 =>
mbedtls new security issues fixed upstream in 2.7.2 (CVE-2018-9988 and CVE-2018-9989)
David Walser
2018-05-04 08:29:25 CEST
Status comment:
(none) =>
Fixed upstream in 2.7.2
Stig-Ørjan Smelror
2018-05-08 10:35:45 CEST
Assignee:
pkg-bugs =>
smelror mbedtls-2.7.3-1.mga7 pushed to Cauldron by Stig-Ørjan. Sysadmins, please remove mbedtls from mga6 core/updates_testing. The wrong version was pushed there. CC:
(none) =>
sysadmin-bugs Advisory ======== mbedtls has been updated to fix two security issues. CVE-2018-9988: ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in ssl_parse_server_key_exchange() that could cause a crash on invalid input. CVE-2018-9989: ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in ssl_parse_server_psk_hint() that could cause a crash on invalid input. References ========== https://nvd.nist.gov/vuln/detail/CVE-2018-9988 https://nvd.nist.gov/vuln/detail/CVE-2018-9989 https://lists.opensuse.org/opensuse-updates/2018-04/msg00051.html mbedtls-2.7.3-1.mga6 lib64mbedtls-devel-2.7.3-1.mga6 lib64mbedtls10-2.7.3-1.mga6 mbedtls-debuginfo-2.7.3-1.mga6 from mbedtls-2.7.3-1.mga6.src.rpm Rebuilt for the new mbedtls. core/updates_testing shadowsocks-libev-3.1.0-1.2.mga6 bctoolbox-0.2.0-4.2.mga6 hiawatha-10.4-1.2.mga6 tainted/updates_testing dolphin-emu-5.0-5.2.mga6 Assignee:
smelror =>
qa-bugs dolphin-emu was previously in core, but not in core release. Seems it is also in tainted and perhaps wasn't pushed as a tainted update, or perhaps should not have been built in core when it was last updated. $ depcheck dolphin-emu Mageia release 6 (Official) for x86_64 ------------------ Core 32bit Updates dolphin-emu-5.0-5.1.mga6 ------------------ Core Updates dolphin-emu-5.0-5.1.mga6 ------------------ Core Updates Testing dolphin-emu-5.0-5.2.mga6 ------------------ Tainted 32bit Release dolphin-emu-5.0-5.mga6.tainted ------------------ Tainted Release dolphin-emu-5.0-5.mga6.tainted ------------------ Tainted Updates Testing dolphin-emu-5.0-5.2.mga6.tainted Could this be checked please. Thanks Whiteboard:
(none) =>
feedback So that's an issue with the previous update, not this one. Sysadmins, would it be possible to remove the previous update from core/updates after this one is pushed? Whiteboard:
feedback =>
(none) MGA6-32 on IBM Thinkpad R50e Xfce Installation: strange, I do not see any bctoolbox at all in the repo, but I find two libbctoolbox packages of the version indicated in Comment 4. Installed those with the rest of the packages and run the test as per bug 20561: # mbedtls-selftest MD5 test #1: passed MD5 test #2: passed .... and at the end: TIMING tests note: will take some time! TIMING test #1 (set_alarm / get_timer): passed TIMING test #2 (set/get_delay ): passed TIMING test #3 (hardclock / get_timer): failed (ignored) Executed 23 test suites [ All tests PASS ] If the bctoolbox issue can be resolved, then I'll agree to OK this. CC:
(none) =>
herman.viaene @Herman, comment 7 $ sudo urpmi bctoolbox Package lib64bctoolbox0-0.2.0-4.1.mga6.x86_64 is already installed So it looks like it is just a library, a toolbox for programmers probably. $ locate bctoolbox /usr/lib64/libbctoolbox.so.0 /usr/share/doc/lib64bctoolbox0 /usr/share/doc/lib64bctoolbox0/COPYING So my advice is go ahead and OK it. CC:
(none) =>
tarazed25 The master has spoken. Whiteboard:
(none) =>
MGA6-32-OK Advisory done as per comment 4; but note that the bug RPMs page has dolphin-emu in both core & tainted. Comments 5 & 6 have a bearing. SRPMs from 'core-updates_testing' ======================== bctoolbox-0.2.0-4.2.mga6.src.rpm dolphin-emu-5.0-5.2.mga6.src.rpm hiawatha-10.4-1.2.mga6.src.rpm mbedtls-2.7.3-1.mga6.src.rpm shadowsocks-libev-3.1.0-1.2.mga6.src.rpm SRPMs from 'tainted-updates_testing' ======================== dolphin-emu-5.0-5.2.mga6.tainted.src.rpm CC:
(none) =>
lewyssmith (In reply to David Walser from comment #6) > So that's an issue with the previous update, not this one. > > Sysadmins, would it be possible to remove the previous update from > core/updates after this one is pushed? I moved it to tainted/updates to keep the downgrade option available... CC:
(none) =>
tmb An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0253.html Status:
NEW =>
RESOLVED |