25952 – mbedtls new security issues CVE-2019-16910, CVE-2019-18222

Bug 25952 - mbedtls new security issues CVE-2019-16910, CVE-2019-18222

Summary: mbedtls new security issues CVE-2019-16910, CVE-2019-18222

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, has_procedure, validated_update

Depends on:
Blocks:

Reported:	2019-12-26 03:26 CET by David Walser
Modified:	2020-02-20 23:00 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	mbedtls-2.16.2-1.mga8.src.rpm
CVE:
Status comment:	Fixed upstream in 2.16.4

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-12-26 03:26:38 CET

Upstream has issued an advisory on September 6:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-10

The issue is fixed upstream in 2.16.3:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.3-and-2.7.12-released

Fedora has issued an advisory for this on October 1:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PEHHH2DOBXB25CAU3Q6E66X723VAYTB5/

Mageia 7 is also affected.

David Walser 2019-12-26 03:26:45 CET

Whiteboard: (none) => MGA7TOO

David Walser 2020-01-14 17:39:24 CET

Status comment: (none) => Fixed upstream in 2.16.3

Comment 1 Rémi Verschelde 2020-01-26 18:15:22 CET

New advisory for security issue fixed in 2.16.4 (CVE-2019-18222):

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12

I will upgrade to 2.16.4 for both Mageia 7 and Cauldron.

Status comment: Fixed upstream in 2.16.3 => Fixed upstream in 2.16.4
Status: NEW => ASSIGNED
Summary: mbedtls new security issue CVE-2019-16910 => mbedtls new security issues CVE-2019-16910, CVE-2019-18222

Comment 2 Rémi Verschelde 2020-01-26 18:36:27 CET

Advisory:
=========

Updated mbedtls packages fix security vulnerabilities

  This update from mbedTLS 2.16.2 to mbedTLS 2.16.4 fixes several security
  vulnerabilities, among which:

  The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to implement
  blinding. Because of this for the same key and message the same blinding value
  was generated. This reduced the effectiveness of the countermeasure and leaked
  information about the private key through side channels (CVE-2019-16910).

  Fix side channel vulnerability in ECDSA. Our bignum implementation is not
  constant time/constant trace, so side channel attacks can retrieve the blinded
  value, factor it (as it is smaller than RSA keys and not guaranteed to have
  only large prime factors), and then, by brute force, recover the key
  (CVE-2019-18222).

  See release notes for details.

References:

 - https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.3-and-2.7.12-released
 - https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.4-and-2.7.13-released
 - https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-10
 - https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12

RPMs in core/updates_testing:
=============================

mbedtls-2.16.4-1.mga7
lib64mbedtls12-2.16.4-1.mga7
lib64mbedx509_0-2.16.4-1.mga7
lib64mbedcrypto3-2.16.4-1.mga7
lib64mbedtls-devel-2.16.4-1.mga7

SRPM in core/updates_testing:
=============================

mbedtls-2.16.4-1.mga7

Testing procedure:
==================

This can be tested via the SSL support feature of applications using mbedtls, notably:

 - dolphin-emu
 - godot
 - hiawatha
 - obs-studio

mbedtls will be used when e.g. resolving a HTTPS URL. In Godot, this can be done by browsing its Asset Library (all images and descriptions should be served over HTTPS).

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
Keywords: (none) => has_procedure
Assignee: rverschelde => qa-bugs

Comment 3 Len Lawrence 2020-01-27 10:48:39 CET

Mageia7, x86_64

Installed godot and hiawatha.
Installed the five packages then updated them from testing repositories.
Noted that godot was listed in updates testing but left it at version 3.1.1-1.

Opened the project manager in godot and then the assets library.
Selected one of the sample demos, downloaded it and installed it in a user folder.  Exited from the full-screen editor and closed down.  Hopefully that is enough to validate godot and mbedtls.

Stopped apache and started hiawatha.
status checks were good.
Pointed browser at localhost:80/ to display the Hiawatha "Installation successful" message.  Browsed a little.  No problems with https sites.

Giving this the OK, and thanks Rémi for the procedure.

CC: (none) => tarazed25

Len Lawrence 2020-01-27 10:50:25 CET

Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2020-01-27 18:28:08 CET

Thank you both, Gentlemen. Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Lewis Smith 2020-01-27 18:48:22 CET

Keywords: (none) => advisory

Comment 5 Mageia Robot 2020-01-28 08:54:26 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0053.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 6 David Walser 2020-02-20 23:00:22 CET

Fedora has issued an advisory for the newer issue on February 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/A3GWQNONS7GRORXZJ7MOJFUEJ2ZJ4OUW/

Note You need to log in before you can comment on or make changes to this bug.