Bug 29234

Summary: mbedtls new security issues fixed in 2.16.10 and 2.16.11 (including CVE-2021-24119)
Product: Mageia Reporter: Rémi Verschelde <rverschelde>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, ouaurelien, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: mbedtls-2.16.9-1.mga8 CVE:
Status comment:

Description Rémi Verschelde 2021-07-07 17:36:34 CEST 
Looks like I missed 2.16.10, and 2.16.11 was just released.

Advisory:
=========

Updated mbedtls packages fix security vulnerabilities

  This update provides Mbed TLS 2.16.11, with a number of bug fixes, including
  security fixes. The intermediate version 2.16.10 are included security fixes.

  See the referenced release notes and advisories for details.

References:

 - https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-1
 - https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-2
 - https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.10
 - https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.11

SRPM in core/updates_testing:
=============================

mbedtls-2.16.11-1.mga8

RPMs in core/updates_testing:
=============================

mbedtls-2.16.11-1.mga9
lib64mbedtls-devel-2.16.11-1.mga9
lib64mbedcrypto3-2.16.11-1.mga9
lib64mbedtls12-2.16.11-1.mga9
lib64mbedx509_0-2.16.11-1.mga9

Testing procedure:
==================

https://bugs.mageia.org/show_bug.cgi?id=26924#c1
Rémi Verschelde 2021-07-07 17:36:41 CEST

Keywords: (none) => has_procedure

Comment 1 Aurelien Oudelet 2021-07-13 21:52:21 CEST 
Corrected packages list:
Reassigning as a security bug report.

Updated packages in core/updates_testing:
========================
lib(64)mbedcrypto3-2.16.11-1.mga8
lib(64)mbedtls-devel-2.16.11-1.mga8
lib(64)mbedtls12-2.16.11-1.mga8
lib(64)mbedx509_0-2.16.11-1.mga8
mbedtls-2.16.11-1.mga8

SRPMs from 'core-updates_testing'
========================
mbedtls-2.16.11-1.mga8.src.rpm

Component: RPM Packages => Security
CC: (none) => ouaurelien
QA Contact: (none) => security

Comment 2 Len Lawrence 2021-07-18 18:09:43 CEST 
mga8, x86_64

The security problems relate to "side channel attacks" - not within our scope to reproduce.

Installed the six core packages then updated them.
Elected to use the godot test procedure, starting a project then finding templates and browsing the assetlib and installing a couple of modules.
$ grep mbedtls godot.trace
openat(AT_FDCWD, "/lib64/libmbedtls.so.12", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libmbedtls.so.2.16.11", O_RDONLY) = 4
openat(AT_FDCWD, "/usr/lib64/libmbedtls.so.2.16.11", O_RDONLY) = 6

Searching for "tls" in the trace file turns up entries like:
clone(child_stack=0x7f9a0061fe30, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[2399179], tls=0x7f9a00620640, child_tidptr=0x7f9a00620910) = 2399179

Giving this an OK for 64-bits.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 3 Thomas Andrews 2021-07-18 22:06:55 CEST 
Validating. Advisory in Comment 0, with correct srpm in Comment 1..

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Aurelien Oudelet 2021-07-19 22:09:08 CEST

Keywords: (none) => advisory

Comment 4 Mageia Robot 2021-07-20 12:48:18 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0361.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 5 David Walser 2021-08-02 16:58:47 CEST 
One of the issues fixed in 2.16.10 has a CVE:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.10
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EYJW7HAW3TDV2YMDFYXP3HD6WRQRTLJW/

Summary: mbedtls new security issues fixed in 2.16.10 and 2.16.11 => mbedtls new security issues fixed in 2.16.10 and 2.16.11 (including CVE-2021-24119)