Upstream has issued an advisory on August 28: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02 A CVE has been assigned on August 30: http://www.openwall.com/lists/oss-security/2017/08/30/8 Mageia 5 and Mageia 6 are also affected.
Assigning to the registered maintainer, but CC'ing all packagers collectively, in case (or because :-( ) the maintainer is unavailable.
CC: (none) => marja11, pkg-bugsAssignee: bugsquad => oe
Fedora has issued an advisory for this on September 2: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BIDCXCILJ7BZS2GBSR75NMKRUNLQD3R5/
Whiteboard: (none) => MGA6TOO, MGA5TOO
Advisory: ======================== Updated mbedtls packages fix security vulnerability: ARM mbed TLS before 1.3.21, 2.1.x before 2.1.9 and 2.x before 2.6.0, if optional authentication is configured, allows remote attackers to bypass peer authentication via an X.509 certificate chain with many intermediates (CVE-2017-14032). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14032 https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02 https://tls.mbed.org/tech-updates/releases/mbedtls-2.6.0-2.1.9-and-1.3.21-released https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BIDCXCILJ7BZS2GBSR75NMKRUNLQD3R5/ ======================== Updated packages in core/updates_testing: ======================== mbedtls-1.3.21-1.mga5 libmbedtls9-1.3.21-1.mga5 libmbedtls-devel-1.3.21-1.mga5 mbedtls-2.6.0-1.mga6 libmbedtls10-2.6.0-1.mga6 libmbedtls-devel-2.6.0-1.mga6 from SRPMS: ======================== mbedtls-1.3.21-1.mga5.src.rpm mbedtls-2.6.0-1.mga6.src.rpm
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOAssignee: oe => qa-bugsVersion: Cauldron => 6
CC: (none) => davidwhodginsKeywords: (none) => advisory
MGA5-32 on Dell Latitude D600 Xfce No installation issues Ref to bug 20561 Comment 3 $ mbedtls-selftest MD5 test #1: passed MD5 test #2: passed MD5 test #3: passed MD5 test #4: passed MD5 test #5: passed and a lot more, at the end: [ All tests passed ] So seems OK
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OKCC: (none) => herman.viaene
Tests passed on Mageia 6 x86_64 too. Validating the update.
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0038.html
Status: NEW => RESOLVEDResolution: (none) => FIXED