Upstream has issued an advisory on November 30: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-03 The issue is fixed upstream in 2.7.8. 2.7.7 (November 20) also fixed some security issues: https://tls.mbed.org/tech-updates/releases/mbedtls-2.14.0-2.7.7-and-2.1.16-released https://tls.mbed.org/tech-updates/releases/mbedtls-2.14.1-2.7.8-and-2.1.17-released Fedora has issued an advisory for this on December 17: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JPMHKBJDZVFFML2CJYXG3ELX7ADDG6ET/ Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since the registered maintainer for this package is most likely still unavailable. Also CC'ing some committers and the registered maintainer.
Assignee: bugsquad => pkg-bugsCC: (none) => geiger.david68210, marja11, mrambo, oe, rverschelde, smelror
mbedtls-2.7.8-1.mga7 uploaded for Cauldron.
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
Advisory: ======================== Updated mbedtls packages fix security vulnerability: A vulnerability was found in mbedTLS which allows a local unprivileged attacker to recover the plaintext of RSA decryption, which is used in RSA-without-(EC)DH(E) cipher suites (CVE-2018-19608). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19608 https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-03 https://tls.mbed.org/tech-updates/releases/mbedtls-2.14.0-2.7.7-and-2.1.16-released https://tls.mbed.org/tech-updates/releases/mbedtls-2.14.1-2.7.8-and-2.1.17-released https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JPMHKBJDZVFFML2CJYXG3ELX7ADDG6ET/ ======================== Updated packages in core/updates_testing: ======================== mbedtls-2.7.8-1.mga6 libmbedtls10-2.7.8-1.mga6 libmbedtls-devel-2.7.8-1.mga6 from mbedtls-2.7.8-1.mga6.src.rpm
Assignee: pkg-bugs => qa-bugs
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. Ref bug 23660 $ mbedtls-selftest MD5 test #1: passed MD5 test #2: passed MD5 test #3: passed MD5 test #4: passed MD5 test #5: passed MD5 test #6: passed MD5 test #7: passed RIPEMD-160 test #1: passed RIPEMD-160 test #2: passed and a lot more, all "passed" and$ mbedtls-hello MD5('Hello, world!') = 6cd3556deb0da54bca060b4c39479839 but $ mbedtls-ssl_cert_test . Loading the CA root certificate ... failed ! mbedtls_x509_crt_parse_file returned -15872 No idea what this is really about, is it something not initiated correctly on this laptop????
CC: (none) => herman.viaene
Testing M6/64 Nothing helpful in the CVE references. BEFORE update: mbedtls-2.7.6-1.mga6 lib64mbedtls10-2.7.6-1.mga6 Ran the standard self-test: $ mbedtls-selftest ... Executed 23 test suites [ All tests PASS ] Alas, using strace did *not* show use of the library... According to https://bugs.mageia.org/show_bug.cgi?id=23660#c4 "Always make sure you test a package that uses a library and not just its own tools, to make sure it hasn't broken binary compatibility." $ urpmq --whatrequires lib64mbedtls10 | uniq dolphin-emu hiawatha (libs) mbedtls shadowsocks-libev Len has previously tried hiawatha - a big transplant - for nothing: https://bugs.mageia.org/show_bug.cgi?id=23660#c6 "Installed hiawatha and noted that mbedtls and lib64mbedtls10 were required. ... started hiawatha under strace. Visited various sites in firefox then closed down hiawatha. No sign of mbedtls interaction in the trace however." So I am not trying that. What is 'dolphin-emu'? "Dolphin is an emulator for two recent Nintendo video game consoles: the GameCube and the Wii. It allows PC gamers to enjoy games for these two consoles in full HD (1080p) with several enhancements: compatibility with all PC controllers, turbo speed, networked multiplayer, and even more!" No thanks. https://tls.mbed.org/tech-updates/releases/mbedtls-2.14.1-2.7.8-and-2.1.17-released says: "API Changes (2.14.1, 2.7.8) The new functions mbedtls_ctr_drbg_update_ret() and mbedtls_hmac_drbg_update_ret() are similar to mbedtls_ctr_drbg_update() and mbedtls_hmac_drbg_update() respectively, but the new functions report errors whereas the old functions return void. We recommend that applications use the new functions." Implying that the old functions & their interfaces remain *unchanged*, and that calling applications should change to using the new functions. Following Hermans's leads, same results for both: $ mbedtls-hello MD5('Hello, world!') = 6cd3556deb0da54bca060b4c39479839 $ mbedtls-ssl_cert_test . Loading the CA root certificate ... failed ! mbedtls_x509_crt_parse_file returned -15872 ------------------------------------------------ AFTER update: - lib64mbedtls10-2.7.8-1.mga6.x86_64 - mbedtls-2.7.8-1.mga6.x86_64 Selecting first mbedtls did *not* automatically require lib64mbedtls10. However, reassuringly: $ urpmq --requires mbedtls | grep libmbedtls mbedtls: libmbedtls.so.10()(64bit) *5 $ mbedtls-selftest Same OK result as before. $ mbedtls-hello " $ mbedtls-ssl_cert_test " Pushing this on.
Keywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA6-64-OKCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0027.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED