Assigning to the registered maintainer, but CC'ing all packagers collectively, in case the maintainer is unavailable.


@ Oden

If you want to comment or do another action in this report and your password hasn't yet been reset _after_ the passwords of all with a Mageia account have been disabled, then please ask tmb to reset your password ;-)

Assignee: bugsquad => oe
CC: (none) => marja11, pkg-bugs

Fedora has issued an advisory for this on February 28:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TODZI6LI3BIMQOPKN35KXJED3J52R2AM/

Advisory
========

The mbedtls package has been updated to fix several security issues.

(CVE-2018-0488) Fixed a heap corruption issue in the implementation of the truncated HMAC extension. When the truncated HMAC extension is enabled and CBC is used, sending a malicious application packet could be used to selectively corrupt 6 bytes on the peer's heap, which could potentially lead to crash or remote code execution. The issue could be triggered remotely from either side in both TLS and DTLS.

(CVE-2018-0487) Fixed a buffer overflow in RSA-PSS verification when the hash was too large for the key size, which could potentially lead to crash or remote code execution.

References
==========
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01
https://tls.mbed.org/tech-updates/releases/mbedtls-2.7.0-2.1.10-and-1.3.22-released
https://nvd.nist.gov/vuln/detail/CVE-2017-18187
https://nvd.nist.gov/vuln/detail/CVE-2018-0487
https://nvd.nist.gov/vuln/detail/CVE-2018-0488

Files
=====

These files has been uploaded to core/updates_testing:
mbedtls-2.7.0-1.mga6
lib64mbedtls-devel-2.7.0-1.mga6
lib64mbedtls10-2.7.0-1.mga6

from mbedtls-2.7.0-1.mga6.src.rpm

These packages has been rebuilt against the new mbedtls:
shadowsocks-libev-3.1.0-1.1.mga6
bctoolbox-0.2.0-4.1.mga6
hiawatha-10.4-1.1.mga6
dolphin-emu-5.0-5.1.mga6

Assignee: smelror => qa-bugs
Whiteboard: MGA6TOO => (none)
CVE: (none) => CVE-2017-18187 CVE-2018-0487 CVE-2018-0488
Version: Cauldron => 6

mbedtls has also been updated in Cauldron with the same packages rebuilt.

Advisory uploaded. Procedure: bug 20561 comment 3

+src:
+  6:
+   core:
+     - mbedtls-2.7.0-1.mga6
+     - shadowsocks-libev-3.1.0-1.1.mga6
+     - bctoolbox-0.2.0-4.1.mga6
+     - hiawatha-10.4-1.1.mga6
+     - dolphin-emu-5.0-5.1.mga6

Keywords: (none) => advisory, has_procedure

Testing mga6 64

Could probably do with testing some of the others if rpms can be given for those please.

# mbedtls-selftest
...<snip>
Executed 23 test suites

  [ All tests PASS ]

Ensured hiawatha webserver was still able to start (after stopping httpd) and browsed to localhost.


# systemctl restart hiawatha.service 
# systemctl status hiawatha.service 
● hiawatha.service - Hiawatha Web Server
   Loaded: loaded (/usr/lib/systemd/system/hiawatha.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2018-03-07 16:59:13 GMT; 8s ago


"Congratulations! The Hiawatha webserver has successfully been installed on this server. For more information about this webserver, visit the Hiawatha website."

Performed the same tests mga6 32. Adding the OKs and validating.

Keywords: (none) => validated_update
Whiteboard: (none) => mga6-64-ok mga6-32-ok
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0163.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED