Bug 21645 - mbedtls new security issue CVE-2017-14032
Summary: mbedtls new security issue CVE-2017-14032
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-08-31 15:19 CEST by David Walser
Modified: 2018-01-03 15:23 CET (History)
5 users (show)

See Also:
Source RPM: mbedtls-2.4.2-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-08-31 15:19:44 CEST 
Upstream has issued an advisory on August 28:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02

A CVE has been assigned on August 30:
http://www.openwall.com/lists/oss-security/2017/08/30/8

Mageia 5 and Mageia 6 are also affected.
Comment 1 Marja Van Waes 2017-09-01 12:21:49 CEST 
Assigning to the registered maintainer, but CC'ing all packagers collectively, in case (or because :-( ) the maintainer is unavailable.

CC: (none) => marja11, pkg-bugs
Assignee: bugsquad => oe

Comment 2 David Walser 2017-09-03 16:07:24 CEST 
Fedora has issued an advisory for this on September 2:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BIDCXCILJ7BZS2GBSR75NMKRUNLQD3R5/
David Walser 2017-10-18 18:54:31 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 3 David Walser 2017-12-28 19:58:41 CET 
Advisory:
========================

Updated mbedtls packages fix security vulnerability:

ARM mbed TLS before 1.3.21, 2.1.x before 2.1.9 and 2.x before 2.6.0, if
optional authentication is configured, allows remote attackers to bypass peer
authentication via an X.509 certificate chain with many intermediates
(CVE-2017-14032).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14032
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02
https://tls.mbed.org/tech-updates/releases/mbedtls-2.6.0-2.1.9-and-1.3.21-released
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BIDCXCILJ7BZS2GBSR75NMKRUNLQD3R5/
========================

Updated packages in core/updates_testing:
========================
mbedtls-1.3.21-1.mga5
libmbedtls9-1.3.21-1.mga5
libmbedtls-devel-1.3.21-1.mga5
mbedtls-2.6.0-1.mga6
libmbedtls10-2.6.0-1.mga6
libmbedtls-devel-2.6.0-1.mga6

from SRPMS:
========================
mbedtls-1.3.21-1.mga5.src.rpm
mbedtls-2.6.0-1.mga6.src.rpm

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Assignee: oe => qa-bugs
Version: Cauldron => 6

Dave Hodgins 2018-01-01 07:22:01 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Herman Viaene 2018-01-01 13:49:14 CET 
MGA5-32 on Dell Latitude D600 Xfce
No installation issues
Ref to bug 20561 Comment 3
$ mbedtls-selftest 

  MD5 test #1: passed
  MD5 test #2: passed
  MD5 test #3: passed
  MD5 test #4: passed
  MD5 test #5: passed
and a lot more, at the end:
  [ All tests passed ]
So seems OK

Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
CC: (none) => herman.viaene

Comment 5 Dave Hodgins 2018-01-03 14:14:52 CET 
Tests passed on Mageia 6 x86_64 too.

Validating the update.

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2018-01-03 15:23:31 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0038.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.