Upstream has issued an advisory on February 1: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01 openSUSE has issued an advisory for this on February 20: https://lists.opensuse.org/opensuse-updates/2018-02/msg00075.html The issue is fixed upstream in 1.3.22 and 2.7.0: https://tls.mbed.org/tech-updates/releases/mbedtls-2.7.0-2.1.10-and-1.3.22-released Mageia 5 and Mageia 6 are also affected. Note that 2.7.0 breaks binary compatibility, so we'll have to rebuild everything against it (for Mageia 6 and Cauldron).
Whiteboard: (none) => MGA6TOOStatus comment: (none) => Fixed upstream in 2.7.0
Assigning to the registered maintainer, but CC'ing all packagers collectively, in case the maintainer is unavailable. @ Oden If you want to comment or do another action in this report and your password hasn't yet been reset _after_ the passwords of all with a Mageia account have been disabled, then please ask tmb to reset your password ;-)
Assignee: bugsquad => oeCC: (none) => marja11, pkg-bugs
Fedora has issued an advisory for this on February 28: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TODZI6LI3BIMQOPKN35KXJED3J52R2AM/
Assignee: oe => smelrorCC: (none) => smelror
Advisory ======== The mbedtls package has been updated to fix several security issues. (CVE-2018-0488) Fixed a heap corruption issue in the implementation of the truncated HMAC extension. When the truncated HMAC extension is enabled and CBC is used, sending a malicious application packet could be used to selectively corrupt 6 bytes on the peer's heap, which could potentially lead to crash or remote code execution. The issue could be triggered remotely from either side in both TLS and DTLS. (CVE-2018-0487) Fixed a buffer overflow in RSA-PSS verification when the hash was too large for the key size, which could potentially lead to crash or remote code execution. References ========== https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01 https://tls.mbed.org/tech-updates/releases/mbedtls-2.7.0-2.1.10-and-1.3.22-released https://nvd.nist.gov/vuln/detail/CVE-2017-18187 https://nvd.nist.gov/vuln/detail/CVE-2018-0487 https://nvd.nist.gov/vuln/detail/CVE-2018-0488 Files ===== These files has been uploaded to core/updates_testing: mbedtls-2.7.0-1.mga6 lib64mbedtls-devel-2.7.0-1.mga6 lib64mbedtls10-2.7.0-1.mga6 from mbedtls-2.7.0-1.mga6.src.rpm These packages has been rebuilt against the new mbedtls: shadowsocks-libev-3.1.0-1.1.mga6 bctoolbox-0.2.0-4.1.mga6 hiawatha-10.4-1.1.mga6 dolphin-emu-5.0-5.1.mga6
Assignee: smelror => qa-bugsWhiteboard: MGA6TOO => (none)CVE: (none) => CVE-2017-18187 CVE-2018-0487 CVE-2018-0488Version: Cauldron => 6
mbedtls has also been updated in Cauldron with the same packages rebuilt.
Advisory uploaded. Procedure: bug 20561 comment 3 +src: + 6: + core: + - mbedtls-2.7.0-1.mga6 + - shadowsocks-libev-3.1.0-1.1.mga6 + - bctoolbox-0.2.0-4.1.mga6 + - hiawatha-10.4-1.1.mga6 + - dolphin-emu-5.0-5.1.mga6
Keywords: (none) => advisory, has_procedure
Testing mga6 64 Could probably do with testing some of the others if rpms can be given for those please. # mbedtls-selftest ...<snip> Executed 23 test suites [ All tests PASS ] Ensured hiawatha webserver was still able to start (after stopping httpd) and browsed to localhost. # systemctl restart hiawatha.service # systemctl status hiawatha.service ● hiawatha.service - Hiawatha Web Server Loaded: loaded (/usr/lib/systemd/system/hiawatha.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2018-03-07 16:59:13 GMT; 8s ago "Congratulations! The Hiawatha webserver has successfully been installed on this server. For more information about this webserver, visit the Hiawatha website."
Performed the same tests mga6 32. Adding the OKs and validating.
Keywords: (none) => validated_updateWhiteboard: (none) => mga6-64-ok mga6-32-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0163.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED