Upstream has released new versions on March 21: https://tls.mbed.org/tech-updates/releases/mbedtls-2.8.0-2.7.2-and-2.1.11-released There were several security and other bugfixes. We should update to 2.7.2, and stay on the 2.7.x branch, even in Cauldron, as it is now an LTS branch: https://tls.mbed.org/tech-updates/blog/our-next-lts-branch-mbedtls-2.7
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, because the registered maintainer for this package is currently unavailable.
CC: (none) => marja11, oe, smelrorAssignee: bugsquad => pkg-bugs
openSUSE has issued an advisory today (April 21): https://lists.opensuse.org/opensuse-updates/2018-04/msg00051.html Two of the security fixes have CVEs.
Summary: mbedtls new security issues fixed upstream in 2.7.2 => mbedtls new security issues fixed upstream in 2.7.2 (CVE-2018-9988 and CVE-2018-9989)
Status comment: (none) => Fixed upstream in 2.7.2
Assignee: pkg-bugs => smelror
mbedtls-2.7.3-1.mga7 pushed to Cauldron by Stig-Ørjan. Sysadmins, please remove mbedtls from mga6 core/updates_testing. The wrong version was pushed there.
CC: (none) => sysadmin-bugsWhiteboard: MGA6TOO => (none)Version: Cauldron => 6
Advisory ======== mbedtls has been updated to fix two security issues. CVE-2018-9988: ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in ssl_parse_server_key_exchange() that could cause a crash on invalid input. CVE-2018-9989: ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in ssl_parse_server_psk_hint() that could cause a crash on invalid input. References ========== https://nvd.nist.gov/vuln/detail/CVE-2018-9988 https://nvd.nist.gov/vuln/detail/CVE-2018-9989 https://lists.opensuse.org/opensuse-updates/2018-04/msg00051.html mbedtls-2.7.3-1.mga6 lib64mbedtls-devel-2.7.3-1.mga6 lib64mbedtls10-2.7.3-1.mga6 mbedtls-debuginfo-2.7.3-1.mga6 from mbedtls-2.7.3-1.mga6.src.rpm Rebuilt for the new mbedtls. core/updates_testing shadowsocks-libev-3.1.0-1.2.mga6 bctoolbox-0.2.0-4.2.mga6 hiawatha-10.4-1.2.mga6 tainted/updates_testing dolphin-emu-5.0-5.2.mga6
Assignee: smelror => qa-bugs
dolphin-emu was previously in core, but not in core release. Seems it is also in tainted and perhaps wasn't pushed as a tainted update, or perhaps should not have been built in core when it was last updated. $ depcheck dolphin-emu Mageia release 6 (Official) for x86_64 ------------------ Core 32bit Updates dolphin-emu-5.0-5.1.mga6 ------------------ Core Updates dolphin-emu-5.0-5.1.mga6 ------------------ Core Updates Testing dolphin-emu-5.0-5.2.mga6 ------------------ Tainted 32bit Release dolphin-emu-5.0-5.mga6.tainted ------------------ Tainted Release dolphin-emu-5.0-5.mga6.tainted ------------------ Tainted Updates Testing dolphin-emu-5.0-5.2.mga6.tainted Could this be checked please. Thanks
Whiteboard: (none) => feedback
So that's an issue with the previous update, not this one. Sysadmins, would it be possible to remove the previous update from core/updates after this one is pushed?
Whiteboard: feedback => (none)
MGA6-32 on IBM Thinkpad R50e Xfce Installation: strange, I do not see any bctoolbox at all in the repo, but I find two libbctoolbox packages of the version indicated in Comment 4. Installed those with the rest of the packages and run the test as per bug 20561: # mbedtls-selftest MD5 test #1: passed MD5 test #2: passed .... and at the end: TIMING tests note: will take some time! TIMING test #1 (set_alarm / get_timer): passed TIMING test #2 (set/get_delay ): passed TIMING test #3 (hardclock / get_timer): failed (ignored) Executed 23 test suites [ All tests PASS ] If the bctoolbox issue can be resolved, then I'll agree to OK this.
CC: (none) => herman.viaene
@Herman, comment 7 $ sudo urpmi bctoolbox Package lib64bctoolbox0-0.2.0-4.1.mga6.x86_64 is already installed So it looks like it is just a library, a toolbox for programmers probably. $ locate bctoolbox /usr/lib64/libbctoolbox.so.0 /usr/share/doc/lib64bctoolbox0 /usr/share/doc/lib64bctoolbox0/COPYING So my advice is go ahead and OK it.
CC: (none) => tarazed25
The master has spoken.
Whiteboard: (none) => MGA6-32-OK
Advisory done as per comment 4; but note that the bug RPMs page has dolphin-emu in both core & tainted. Comments 5 & 6 have a bearing. SRPMs from 'core-updates_testing' ======================== bctoolbox-0.2.0-4.2.mga6.src.rpm dolphin-emu-5.0-5.2.mga6.src.rpm hiawatha-10.4-1.2.mga6.src.rpm mbedtls-2.7.3-1.mga6.src.rpm shadowsocks-libev-3.1.0-1.2.mga6.src.rpm SRPMs from 'tainted-updates_testing' ======================== dolphin-emu-5.0-5.2.mga6.tainted.src.rpm
CC: (none) => lewyssmithKeywords: (none) => advisory, validated_update
(In reply to David Walser from comment #6) > So that's an issue with the previous update, not this one. > > Sysadmins, would it be possible to remove the previous update from > core/updates after this one is pushed? I moved it to tainted/updates to keep the downgrade option available...
CC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0253.html
Status: NEW => RESOLVEDResolution: (none) => FIXED