Bug 32844

Summary: Update candidate: mbedtls 2.28.7
Product: Mageia Reporter: Rémi Verschelde <rverschelde>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, marja11, sysadmin-bugs, tarazed25
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.4 https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.5 https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-2.28.5 https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.6 https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.7 https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2023-10-1/ https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/ https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-2/
Whiteboard: MGA9-64-OK
Source RPM: mbedtls-2.28.3-1.mga9 CVE:
Status comment:

Description Rémi Verschelde 2024-02-14 00:20:36 CET 
Long overdue, sorry for the delay (2.28.3 -> 2.28.7).

Advisory:
=========

Updated mbedtls packages fix security vulnerabilities

  This update brings the mbedtls packages from 2.28.3 to the latest 2.28.7 release
  in the LTS branch, fixing a number of bugs as well the following security
  vulnerabilities:

  - Buffer overread in TLS stream cipher suites.
  - Timing side channel in private key RSA operations.
  - Buffer overflow in mbedtls_x509_set_extension.

  See the linked release notes for details.

References:

- https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.4
- https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.5
- https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.6
- https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.7
- https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2023-10-1/
- https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/
- https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-2/

SRPM in core/updates_testing:
=============================

mbedtls-2.28.7-1.mga9

RPMs in core/updates_testing:
=============================

lib64mbedcrypto7-2.28.7-1.mga9
lib64mbedtls14-2.28.7-1.mga9
lib64mbedx509_1-2.28.7-1.mga9
lib64mbedtls-devel-2.28.7-1.mga9
mbedtls-2.28.7-1.mga9
Marja Van Waes 2024-02-14 16:06:18 CET

URL: (none) => https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/ https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-2/https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.4 https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.5 https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-2.28.5 https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.6 https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.7 https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2023-10-1/
CC: (none) => marja11

Comment 2 Marja Van Waes 2024-02-14 16:10:51 CET 
(In reply to Rémi Verschelde from comment #1)
> > - https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.5
> 
> Not critical, but make that one:
> 
> > - https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-2.28.5

Advisory uploaded with that correction.

Keywords: (none) => advisory

Comment 3 Len Lawrence 2024-02-14 21:05:15 CET 
Mageia9, x86_64
Installed the core packages then updated them from updates-testing.
Referred to bug 29234 for testing.
Reproducers for the vulnerabilities not available.

Installed godot and ran it under strace.
Brought up the blender scene creation gui, backed out, then created a dummy project, and downloaded some files from assetlib.
Closed down.
$ grep mbedtls godot.trace
openat(AT_FDCWD, "/usr/lib64/libmbedtls.so.14", O_RDONLY|O_CLOEXEC) = 3
$ grep crypto godot.trace
openat(AT_FDCWD, "/usr/lib64/libmbedcrypto.so.7", O_RDONLY|O_CLOEXEC) = 3
$ grep x509 godot.trace
openat(AT_FDCWD, "/usr/lib64/libmbedx509.so.1", O_RDONLY|O_CLOEXEC) = 3

As far as this goes the game engine functions and opens the libraries.

Giving this an OK for 64-bits.

CC: (none) => tarazed25
Whiteboard: (none) => MGA9-64-OK

Comment 4 Thomas Andrews 2024-02-14 22:04:18 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2024-02-15 00:03:50 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0037.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED