Upstream has issued an advisory on July 25: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02 The issues were fixed in 2.7.5: https://tls.mbed.org/tech-updates/releases/mbedtls-2.12.0-2.7.5-and-2.1.14-released 2.7.6 was also released on September 10, fixing a minor security issue: https://tls.mbed.org/tech-updates/releases/mbedtls-2.13.0-2.7.6-and-2.1.15-released Debian has issued an advisory for this on September 16: https://www.debian.org/security/2018/dsa-4296 Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since the registered maintainer for this package is currently unavailable. Also CC'ing some committers & the registered maintainer.
CC: (none) => geiger.david68210, marja11, oe, rverschelde, smelrorAssignee: bugsquad => pkg-bugs
Updated package uploaded for cauldron and Mageia 6. Advisory: ======================== Updated mbedtls package fixes security vulnerabilities: Fixed a vulnerability in the TLS ciphersuites based on use of CBC and SHA-384 in DTLS/TLS 1.0 to 1.2, that allowed an active network attacker to partially recover the plaintext of messages under certains conditions by exploiting timing side-channels (CVE-2018-0497). Fixed a vulnerability in TLS ciphersuites based on CBC, in DTLS/TLS 1.0 to 1.2, that allowed a local attacker, with the ability to execute code on the local machine as well as to manipulate network packets, to partially recover the plaintext of messages under certain conditions (CVE-2018-0498). Fixed an issue in the X.509 module which could lead to a buffer overread during certificate extensions parsing (no CVE assigned). References: https://tls.mbed.org/tech-updates/releases/mbedtls-2.12.0-2.7.5-and-2.1.14-released https://tls.mbed.org/tech-updates/releases/mbedtls-2.13.0-2.7.6-and-2.1.15-released https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0497 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0498 ======================== Updated packages in core/updates_testing: ======================== lib64mbedtls10-2.7.6-1.mga6.x86_64.rpm lib64mbedtls-devel-2.7.6-1.mga6.x86_64.rpm mbedtls-2.7.6-1.mga6.x86_64.rpm from mbedtls-2.7.6-1.mga6.src.rpm Test procedure: https://bugs.mageia.org/show_bug.cgi?id=20561#c3
Assignee: pkg-bugs => qa-bugsWhiteboard: MGA6TOO => (none)CC: (none) => mramboKeywords: (none) => has_procedureVersion: Cauldron => 6
Mageia 6, x86_64 No PoCs found for the CVEs. Ran self-test: $ mbedtls-selftest MD5 test #1: passed [...] Executed 23 test suites [ All tests PASS ] Updated the packages: $ mbedtls-selftest MD5 test #1: passed [...] AES-GCM-256 #5 split (enc): passed AES-GCM-256 #5 split (dec): passed [...] X.509 certificate load: passed X.509 signature verify: passed [...] TIMING test #1 (set_alarm / get_timer): passed TIMING test #2 (set/get_delay ): passed TIMING test #3 (hardclock / get_timer): passed Executed 23 test suites [ All tests PASS ] $ Passing this for 64-bits.
Whiteboard: (none) => MGA6-64-OKCC: (none) => tarazed25
Always make sure you test a package that uses a library and not just its own tools, to make sure it hasn't broken binary compatibility.
Thanks for the headsup David. It looks like hiawatha is a candidate - tomorrow.
Whiteboard: MGA6-64-OK => (none)
Testing hiawatha. Removed mbedtls and support library. Stopped apache. Installed hiawatha and noted that mbedtls and lib64mbedtls10 were required. Update mbdedtls and the library again and started hiawatha under strace. Visited various sites in firefox then closed down hiawatha. No sign of mbedtls interaction in the trace however. Have to leave it there. Know nothing about dolphin-emu or shadowsocks. Reinstating the 64-bit OK.
Whiteboard: (none) => MGA6-64-OK
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0432.html
Status: NEW => RESOLVEDResolution: (none) => FIXED