| Summary: | mbedtls new security issues fixed in 2.16.12 (including CVE-2021-44732) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, rverschelde, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | mbedtls-2.16.11-1.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2022-01-11 00:35:22 CET
David Walser
2022-01-11 00:35:39 CET
Whiteboard:
(none) =>
MGA8TOO On it. For the record mbedtls 2.16.12 is the final release in the 2.16 LTS branch, so we'll have to move to their newly released 2.28 LTS branch (in Cauldron first, and then see if we can afford the switch in Mageia 8 or should do what we can to backport security fixes - depends on what other distros do I guess). Status:
NEW =>
ASSIGNED mbedtls-2.16.12-1.mga9 pushed to Cauldron. Update candidate for Mageia 8: Advisory: ========= Updated mbedtls packages fix security vulnerabilities This update provides Mbed TLS 2.16.12, with a number of bug fixes, including security fixes. See the referenced release notes and advisory for details. References: - https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.12 - https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12 SRPM in core/updates_testing: ============================= mbedtls-2.16.12-1.mga8 RPMs in core/updates_testing: ============================= mbedtls-2.16.12-1.mga8 lib64mbedtls-devel-2.16.12-1.mga8 lib64mbedcrypto3-2.16.12-1.mga8 lib64mbedtls12-2.16.12-1.mga8 lib64mbedx509_0-2.16.12-1.mga8 Testing procedure: ================== https://bugs.mageia.org/show_bug.cgi?id=26924#c1 Assignee:
rverschelde =>
qa-bugs mga8, x64 Before updating: The mbedtls packages were already installed but running godot failed with an error saying that the video driver did not support any of the supported openGL drivers. The GTX 1080Ti graphics card uses the nvidia 470.86 driver and has worked before in this context. This is a separate issue from mbedtls so a move to another machine is in order. Later. CC:
(none) =>
tarazed25 OK. GLX is working on another nvidia machine. Installed and updated mbedtls packages. Installed hiawatha and godot. Replaced httpd by hiawatha and checked the welcome message at localhost in a browser - "It works!" Visited a secure banking site, supplied credentials and downloaded accounts information. No problems. Ran godot from the cli. Interface appeared. Created a user project, browsed asset library and downloaded and installed three tools without issue. Viewed the res://assets/ in the FileSystem section and found the new tools listed under addons. Played about with the gui but with no training had to back out. It all looks good as far as it goes. Whiteboard:
(none) =>
MGA8-64-OK Validating. Advisory in Comment 2. Keywords:
(none) =>
validated_update
Dave Hodgins
2022-01-14 22:02:18 CET
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0017.html Status:
ASSIGNED =>
RESOLVED This update also fixed CVE-2021-43666: https://www.debian.org/lts/security/2022/dla-3249 |