Fedora has issued an advisory on August 9: https://lists.fedoraproject.org/pipermail/package-announce/2013-August/114306.html The security issue in libtommath was fixed in version 0.42.0, which Funda updated us to two years ago (thanks Funda!). As is noted in the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=615088 dropbear bundles libtommath and libtomcrypt. I would imagine that the current version of dropbear we have has updated these bundled libraries and isn't affected by the security issue. That being said, we usually prefer to use system libraries instead of bundled ones, and dropbear can do that, according to the comments in the RH bug. However, while we do have libtommath packaged, we do not have libtomcrypt packaged, so if we wanted to switch to system libraries for that, we'd have to import libtomcrypt. Reproducible: Steps to Reproduce:
CC'ing Funda (libtommath packager), Colin and Dan (dropbear packagers), and Thierry (because IIRC dropbear is used in the installer and may be impacted by any change to it).
CC: (none) => dan, fundawang, mageia, thierry.vignaud
Its not used in the installer as such, but on the rescue image
CC: (none) => tmb
Ping. Is it still used the same way in rescue image?
CC: (none) => mageia
go on, any new lib will automatically got pulled in rescue system
I've imported libtomcrypt and switched Dropbear to use the system libtommath and libtomcrypt as suggested.
Status: NEW => RESOLVEDResolution: (none) => FIXED