Upstream has issued an advisory on October 15: https://tls.mbed.org/tech-updates/releases/mbedtls-2.4.0-2.1.6-and-1.3.18-released Updated package uploaded for Mageia 5. You can use hiawatha, linphone, or pdns to test this. Advisory: ======================== Updated mbedtls packages fix security vulnerabilities: The mbedtls package has been updated to version 1.3.18, which removes a non-default configuration option that could lead to session key recovery in very long TLS sessions and fixes a potential stack corruption that cannot be triggered remotely. It also fixes several bugs. See the upstream release announcement for details. References: https://tls.mbed.org/tech-updates/releases/mbedtls-2.4.0-2.1.6-and-1.3.18-released ======================== Updated packages in core/updates_testing: ======================== mbedtls-1.3.18-1.mga5 libmbedtls9-1.3.18-1.mga5 libmbedtls-devel-1.3.18-1.mga5 from mbedtls-1.3.18-1.mga5.src.rpm
The previous update was simply tested by running the mbedtls-selftest command.
Whiteboard: (none) => has_procedure
Installed these on x86_64 real hardware and ran the selftest command. All tests passed. Since there is no bugtrail to follow, functionality tests are all we have. Updated to version 1.3.18 and ran the selftest again. Again, all tests passed. About to look at the other suggestions for testing.
CC: (none) => tarazed25
MGA5-32 on AsusA6000VM Xfce No installation issues Ran selftest, all tests passed, OK as in bug 18874.
CC: (none) => herman.viaeneWhiteboard: has_procedure => has_procedure MGA5-32-OK
Moved to another 64bit machine and ran the update. Installed hiawatha, stopped the lighttpd service and started hiawatha OK. $ sudo systemctl start hiawatha [lcl@vega python]$ systemctl status hiawatha â hiawatha.service - Hiawatha Web Server Loaded: loaded (/usr/lib/systemd/system/hiawatha.service; enabled) Active: active (running) since Fri 2017-01-27 16:13:09 GMT; 17s ago Process: 21101 ExecStartPre=/usr/sbin/hiawatha -k (code=exited, status=0/SUCCESS) Process: 21097 ExecStartPre=/usr/sbin/wigwam (code=exited, status=0/SUCCESS) Main PID: 21104 (hiawatha) CGroup: /system.slice/hiawatha.service ââ21104 /usr/sbin/hiawatha -d Extract from output of $ urpmq --requires hiawatha .... hiawatha: libmbedtls.so.9()(64bit) Closed firefox and restarted it without a problem and was able to reach sites not likely to be in the cache so this looks fine for x86_64.
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK
Thanks you Len & Herman for speedy testing. Validating & Advisory-ing.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisoryCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0030.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => https://lwn.net/Vulnerabilities/713061/