Upstream has issued an advisory on March 10: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-01 The issue (and others) is fixed in 1.3.19: https://tls.mbed.org/tech-updates/releases/mbedtls-2.4.2-2.1.7-and-1.3.19-released openSUSE has issued an advisory for this on March 22: https://lists.opensuse.org/opensuse-updates/2017-03/msg00072.html Updates for Mageia 5 and Cauldron checked into SVN. Freeze push requested. Eventual advisory for this update below. Advisory: ======================== Updated mbedtls packages fix security vulnerabilities: In mbedTLS before 1.3.19, if a malicious peer supplies a certificate with a specially crafted secp224k1 public key, then an attacker can cause the server or client to attempt to free block of memory held on stack. Depending on the platform, this could result in a Denial of Service (client crash) or potentially could be exploited to allow remote code execution with the same privileges as the host application (CVE-2017-2784). The mbedtls package has been updated to version 1.3.19, fixing this issue as well as other security issues and bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2784 https://tls.mbed.org/tech-updates/releases/mbedtls-2.4.2-2.1.7-and-1.3.19-released https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-01 https://lists.opensuse.org/opensuse-updates/2017-03/msg00072.html ======================== Updated packages in core/updates_testing: ======================== mbedtls-1.3.19-1.mga5 libmbedtls9-1.3.19-1.mga5 libmbedtls-devel-1.3.19-1.mga5 from mbedtls-1.3.19-1.mga5.src.rpm
The previous update was simply tested by running the mbedtls-selftest command.
Whiteboard: (none) => has_procedure
Updated packages uploaded for Mageia 5 and Cauldron. Advisory, packages, and testing information in Comment 0 and Comment 1.
Assignee: bugsquad => qa-bugs
CC: (none) => davidwhodginsWhiteboard: has_procedure => has_procedure advisory
The preupdate packages were already installed. Ran the mbedtls-selftest command and all tests were passed. Installed the updates on x86_64 and ran the test command again. Tailend of output: DHM parameter load: passed ENTROPY test: passed PBKDF2 (SHA1) #0: passed PBKDF2 (SHA1) #1: passed PBKDF2 (SHA1) #2: passed PBKDF2 (SHA1) #3: passed PBKDF2 (SHA1) #4: passed PBKDF2 (SHA1) #5: passed PBKDF2 (SHA1) #0: passed PBKDF2 (SHA1) #1: passed PBKDF2 (SHA1) #2: passed PBKDF2 (SHA1) #3: passed PBKDF2 (SHA1) #4: passed PBKDF2 (SHA1) #5: passed TIMING tests note: will take some time! TIMING test #1 (m_sleep / get_timer): passed TIMING test #2 (set_alarm / get_timer): passed TIMING test #3 (hardclock / get_timer): passed TIMING test #4 (net_usleep/ get_timer): passed [ All tests passed ]
CC: (none) => tarazed25
Whiteboard: has_procedure advisory => has_procedure advisory MGA5-64-OK
Installed missing pre-update packages on i586 in virtualbox and ran the selftest. All OK. Installed the update and ran the mbedtls-selftest command again. All tests passed. OK for both architectures. Can be validated.
Keywords: (none) => validated_updateWhiteboard: has_procedure advisory MGA5-64-OK => has_procedure advisory MGA5-64-OK MGA5-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0094.html
Status: NEW => RESOLVEDResolution: (none) => FIXED