Bug 33120

Summary: mbedtls new security issue CVE-2024-28960
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, dan, herman.viaene, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: mbedtls-2.28.7-1.mga9.src.rpm CVE: CVE-2024-28960
Status comment:

Description Nicolas Salguero 2024-04-22 10:24:45 CEST 
Fedora has issued an advisory on April 16:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6UZNBMKYEV2J5DI7R4BQGL472V7X3WJY/

The problem is fixed in version 2.28.8.

Mageia 9 is also affected.
Nicolas Salguero 2024-04-22 10:25:12 CEST

CVE: (none) => CVE-2024-28960
Status comment: (none) => Fixed upstream in 2.28.8
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => mbedtls-2.28.7-1.mga9.src.rpm

Comment 1 Nicolas Salguero 2024-04-22 13:23:30 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

An issue was discovered in Mbed TLS 2.18.0 through 2.28.x before 2.28.8 and 3.x before 3.6.0, and Mbed Crypto. The PSA Crypto API mishandles shared memory. (CVE-2024-28960)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6UZNBMKYEV2J5DI7R4BQGL472V7X3WJY/
========================

Updated packages in core/updates_testing:
========================
lib(64)mbedcrypto7-2.28.8-1.mga9
lib(64)mbedtls14-2.28.8-1.mga9
lib(64)mbedtls-devel-2.28.8-1.mga9
lib(64)mbedx509_1-2.28.8-1.mga9
mbedtls-2.28.8-1.mga9

from SRPM:
mbedtls-2.28.8-1.mga9.src.rpm

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 2.28.8 => (none)
Assignee: bugsquad => qa-bugs

katnatek 2024-04-22 21:22:38 CEST

Keywords: (none) => advisory

Comment 2 Herman Viaene 2024-04-23 16:42:14 CEST 
MGA9-64  Plasma Wayland on HP-Pavillion.
No installation issues.
Repeated tests as in bug 31058 Comment 3:
hiawatha runs OK and answsers with its webpage, godot let me download some demo and move an object around.
OK for me.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

katnatek 2024-04-24 04:00:07 CEST

CC: (none) => andrewsfarm

Comment 3 Thomas Andrews 2024-04-24 14:03:22 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 Dan Fandrich 2024-04-25 20:21:41 CEST 
This was pushed to updates while Bugzilla was down.
https://advisories.mageia.org/MGASA-2024-0146.html

Resolution: (none) => FIXED
CC: (none) => dan
Status: ASSIGNED => RESOLVED

Comment 5 Mageia Robot 2024-04-26 08:48:00 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0146.html