| Summary: | mbedtls 2.16.12 new security issue CVE-2022-46392 (CVE-2022-46393 not applicable) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | Rémi Verschelde <rverschelde> |
| Status: | RESOLVED OLD | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | nicolas.salguero |
| Version: | 8 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | mbedtls-2.16.12-1.1.mga8.src.rpm | CVE: | |
| Status comment: | Patches available from upstream and openSUSE | ||
|
Description
David Walser
2023-01-03 20:30:29 CET
David Walser
2023-01-03 20:30:51 CET
Status comment:
(none) =>
Patches available from upstream and openSUSE I believe the CVE was badly written as it doesn't specify the first vulnerable version. The 2.16.x branch doesn't seem to have the MBEDTLS_SSL_DTLS_CONNECTION_ID code at all so it's not relevant for it. Status:
NEW =>
RESOLVED Fedora has issued an advisory for this on January 11: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4BR7ZCVKLPGCOEEALUHZMFHXQHR6S4QL/ Is 2.16.x also not affected by CVE-2022-46392? Summary:
mbedtls new security issue CVE-2022-46393 =>
mbedtls new security issues CVE-2022-4639[23] CVE-2022-46392 seems applicable. Debian marks their versions as vulnerable: https://security-tracker.debian.org/tracker/CVE-2022-46392 They postponed fixing this as a "minor issue". Upstream/the CVE don't give much information on which commit fixed it, but going through the logs of the 2.28 branch I identified this patch: https://github.com/Mbed-TLS/mbedtls/commit/99ac73d9632c17f0412335d784ee9138028e03e8 It doesn't cherry-pick trivially but the conflicts might not be hard to solve. Resolution:
INVALID =>
(none) Mageia 8 EOL CC:
(none) =>
nicolas.salguero |