Upstream has issued an advisory on October 5: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01 The first CVE comes from the upstream advisory and the second was noted by RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1270170#c10 They are heap-based buffer overflow issues and are fixed in 1.3.14. I had previously missed this due to the renaming to mbedtls (!?). There were other security fixes and hardening changes in 1.3.10, 1.3.11, 1.3.12, 1.3.13, 1.3.14, and 1.3.15: https://tls.mbed.org/tech-updates/releases/mbedtls-1.3.10-released https://tls.mbed.org/tech-updates/releases/mbedtls-1.3.11-released https://tls.mbed.org/tech-updates/releases/polarssl-1.2.15-and-mbedtls-1.3.12-released https://tls.mbed.org/tech-updates/releases/mbedtls-2.1.1-and-1.3.13-and-polarssl-1.2.16-released https://tls.mbed.org/tech-updates/releases/mbedtls-2.1.2-and-1.3.14-and-polarssl-1.2.17-released https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.0-2.1.3-1.3.15-and-polarssl.1.2.18-released LWN reference for 1.3.11: http://lwn.net/Vulnerabilities/647615/ Reproducible: Steps to Reproduce:
Fedora advisories for mbedtls: https://lists.fedoraproject.org/pipermail/package-announce/2015-June/159916.html https://lists.fedoraproject.org/pipermail/package-announce/2015-October/169765.html
Version: 5 => CauldronWhiteboard: (none) => MGA5TOO
One more, addressing SLOTH (CVE-2015-7575) and a double-free issue: https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.1-2.1.4-1.3.16-and-polarssl.1.2.19-released
It looks like mbedtls 1.3.16 is written in such a way that things that build against polarssl should be able to find it. The library major has increased from 7 to 9 in version 1.3.16, so everything linked to it would need to be rebuilt (belle-sip, hiawatha, linphone, pdns). It looks like nothing in Cauldron is using the mbedtls 2.2.1 there, so it should be removed and replaced with 1.3.16.
Hiawatha will also be updated to version 9.13 for mbedtls 1.3.x support: https://www.hiawatha-webserver.org/changelog
Advisory: ======================== Updated mbedtls packages fix security vulnerabilities: Note: this package was called polarssl, but is now called mbed tls. The PolarSSL software is now called mbed TLS. Heap-based buffer overflow in mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long hostname to the server name indication (SNI) extension, which is not properly handled when creating a ClientHello message (CVE-2015-5291). Heap-based buffer overflow in mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long session ticket name to the session ticket extension, which is not properly handled when creating a ClientHello message to resume a session (CVE-2015-8036). The mbedtls package has been updated to version 1.3.16, which contains several other bug fixes, security fixes, and security enhancements. The hiawatha package, which uses the polarssl/mbedtls library, has been updated to version 9.13 for improved compatibility. The belle-sip library package has been updated to version 1.4.2 for improved compatibility and the linphone package has been rebuilt against mbedtls. The pdns package has also been rebuilt against mbedtls. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5291 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8036 https://www.hiawatha-webserver.org/changelog https://tls.mbed.org/tech-updates/releases/mbedtls-1.3.10-released https://tls.mbed.org/tech-updates/releases/mbedtls-1.3.11-released https://tls.mbed.org/tech-updates/releases/polarssl-1.2.15-and-mbedtls-1.3.12-released https://tls.mbed.org/tech-updates/releases/mbedtls-2.1.1-and-1.3.13-and-polarssl-1.2.16-released https://tls.mbed.org/tech-updates/releases/mbedtls-2.1.2-and-1.3.14-and-polarssl-1.2.17-released https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.0-2.1.3-1.3.15-and-polarssl.1.2.18-released https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.1-2.1.4-1.3.16-and-polarssl.1.2.19-released https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01 https://lists.fedoraproject.org/pipermail/package-announce/2015-June/159916.html https://lists.fedoraproject.org/pipermail/package-announce/2015-October/169765.html ======================== Updated packages in core/updates_testing: ======================== mbedtls-1.3.16-1.mga5 libmbedtls9-1.3.16-1.mga5 libmbedtls-devel-1.3.16-1.mga5 hiawatha-9.13-1.mga5 libbellesip0-1.4.2-1.mga5 libbellesip-devel-1.4.2-1.mga5 linphone-3.8.1-1.1.mga5 liblinphone6-3.8.1-1.1.mga5 libmediastreamer4-3.8.1-1.1.mga5 liblinphone-devel-3.8.1-1.1.mga5 pdns-3.3.3-1.1.mga5 pdns-backend-pipe-3.3.3-1.1.mga5 pdns-backend-mysql-3.3.3-1.1.mga5 pdns-backend-pgsql-3.3.3-1.1.mga5 pdns-backend-ldap-3.3.3-1.1.mga5 pdns-backend-sqlite-3.3.3-1.1.mga5 pdns-backend-geo-3.3.3-1.1.mga5 from SRPMS: mbedtls-1.3.16-1.mga5.src.rpm hiawatha-9.13-1.mga5.src.rpm belle-sip-1.4.2-1.mga5.src.rpm linphone-3.8.1-1.1.mga5.src.rpm pdns-3.3.3-1.1.mga5.src.rpm
Version: Cauldron => 5Assignee: oe => qa-bugsWhiteboard: MGA5TOO => (none)
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
(In reply to David Walser from comment #2) > One more, addressing SLOTH (CVE-2015-7575) and a double-free issue: > https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.1-2.1.4-1.3.16-and- > polarssl.1.2.19-released Fedora has issued an advisory for this on January 19: https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175762.html from http://lwn.net/Vulnerabilities/672563/
Taking a first look at this, I am unsure whether installing all the 'previous' pkgs (polarssl, hiawatha, linphone, pdns) and then updating them referencing Testing repos would update eveything with changed version numbers &/or names - notably polarssl -> mbedtls. Or how these changes would be implemented by users.
CC: (none) => lewyssmith
Polarssl would be automatically replaced by mbedtls. That, and the other applications, when updated, would automatically pull in the mbedtls library as a dependency. The old polarssl library would be orphaned.
Testing M5 x64 real hardware Installed from issued repos: polarssl, hiawatha, linphone, pdns without doing anything with any of them; just to ensure that they updated OK. Then from Updates Testing, updated via MCC/Update System to: mbedtls-1.3.16-1.mga5 lib64mbedtls9-1.3.16-1.mga5 hiawatha-9.13-1.mga5 lib64bellesip0-1.4.2-1.mga5 lib64linphone6-3.8.1-1.1.mga5 linphone-3.8.1-1.1.mga5 lib64mediastreamer4-3.8.1-1.1.mga5 pdns-3.3.3-1.1.mga5 [used just this as an mbedtls application] The update went without problem - except polarssl was *not* warned as orphaned. # mbedtls-selftest [note no longer polarssl-selftest] yielded a lot of O/P, *all* of which passed. Played with 'pdns' as described in Bug 13764 Comment 6, Bug 13521 Comment 2, Bug 11459 Comment 7, noting especially [can be used for future reference]: edit /etc/powerdns/pdns.conf local-address=127.0.0.1 local-port=2000 # systemctl start pdns.service # systemctl status -l pdns.service รข pdns.service - PowerDNS Authoritative Server Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled) Active: active (running) since Llu 2016-02-08 10:23:21 CET; 39s ago Process: 15385 ExecStart=/usr/sbin/pdns_server --daemon --guardian=yes (code=exited, status=0/SUCCESS) ... tcp 0 0 127.0.0.1:2000 0.0.0.0:* LISTEN 15390/pdns_server-i udp 0 0 127.0.0.1:2000 0.0.0.0:* 15390/pdns_server-i ... $ dig www.example.com A @127.0.0.1 -p 2000 ; <<>> DiG 9.10.3-P3 <<>> www.example.com A @127.0.0.1 -p 2000 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 54494 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 2800 ;; QUESTION SECTION: ;www.example.com. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#2000(127.0.0.1) ;; WHEN: Llu Chw 08 10:25:45 CET 2016 ;; MSG SIZE rcvd: 44 $ dig mageia.org @127.0.0.1 -p 2000 ; <<>> DiG 9.10.3-P3 <<>> mageia.org @127.0.0.1 -p 2000 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 61560 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 2800 ;; QUESTION SECTION: ;mageia.org. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#2000(127.0.0.1) ;; WHEN: Llu Chw 08 10:32:08 CET 2016 ;; MSG SIZE rcvd: 39 all consistent with earlier test results. So this update looks OK.
Whiteboard: advisory => advisory MGA5-64-OK
Well done Lewis. Validating. Polarssl is not shown as being orphaned because mbedtls should provide and obsolete it (packaging terms) due to the name change, meaning it replaces it and removes the old one. Please push to 5 updates Thanks
Keywords: (none) => validated_updateSource RPM: polarssl-1.3.9-3.mga5.src.rpm => polarssl-1.3.9-3.mga5.src.rpm mbedtlsCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0054.html
Status: NEW => RESOLVEDResolution: (none) => FIXED