Fedora has issued an advisory on June 5: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FCWN5HIF4CJ2LZTOMEBJ7Q4IMMV7ZU2V/ The issue is fixed upstream in 2.16.6: https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-04 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOAssignee: bugsquad => rverschelde
Weird, I committed 2.16.6 back on April 21, 2020, but it seems I did not submit it? Will have a look.
Fixed in Cauldron with mbedtls-2.16.6-1.mga8. Pushed mbedtls-2.16.6-1.mga7 to Mageia 7 core/updates_testing. Advisory: ========= Updated mbedtls packages fix security vulnerability Fix side channel in ECC code that allowed an adversary with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) to fully recover an ECDSA private key. (CVE-2020-10932) Fix a potentially remotely exploitable buffer overread in a DTLS client when parsing the Hello Verify Request message. References: - https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released - https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-04 RPMs in core/updates_testing: ============================= lib64mbedcrypto3-2.16.6-1.mga7 lib64mbedtls12-2.16.6-1.mga7 lib64mbedtls-devel-2.16.6-1.mga7 lib64mbedx509_0-2.16.6-1.mga7 mbedtls-2.16.6-1.mga7 SRPM in core/updates_testing: ============================= mbedtls-2.16.6-1.mga7
CC: (none) => rverscheldeAssignee: rverschelde => qa-bugs
MGA7-64 Plasma on Lenovo B50 No instalaation issues. Ref bug 2625 Comment2for testing. So started godot from CLI in a third desktop (QARepo and MCC in second as I usually do), then switched back to Desktop 1 to read the bug ref'ed above. Came back to Desktop 3, noticed that the window of godot lost all its contents, clicked on that window and the whole machine frooze, no interaction with mouse or keyboard possible. Left it there for 15 min.,then had to power the laptop off. Rebooted without problems.
CC: (none) => herman.viaene
That would be an issue with Godot itself, not related to mbedtls a priori. Lenovo B50 has relatively low end graphics so it might not be able to handle Godot's OpenGL 3.3 requirements fully.
CC: (none) => mageiaKeywords: (none) => advisory
Picking up the baton Herman - nvidia GTX970. Ran the self-test suite before updating. Passed all 27 tests. Clean update of the five packages. $ mbedtls-selftest .... TIMING test #3 (hardclock / get_timer): passed Executed 27 test suites [ All tests PASS ] Installed godot. $ godot Godot Engine v3.2.1.stable.mageia - https://godotengine.org OpenGL ES 3.0 Renderer: GeForce GTX 970/PCIe/SSE2 Project is missing: /home/lcl/godot/project.godot Editing project: /home/lcl/godot (::home::lcl::godot) Godot Engine v3.2.1.stable.mageia - https://godotengine.org lcl@difda:~ $ OpenGL ES 3.0 Renderer: GeForce GTX 970/PCIe/SSE2 ERROR: set_path: Another resource is loaded from path 'res://art/enemyFlyingAlt_1.png' (possible cyclic resource inclusion). At: core/resource.cpp:81. This presented a gui which allowed games to be downloaded and installed. Chose one and installed it in a new folder and ran the editor. That looked perfectly functional but left it there and played the demo of "Dodge the Creeps". Hopefully this is enough for an OK.
CC: (none) => tarazed25Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO
Hmm. Not network tested.
Ran godot under strace. Downloaded and installed a game and ran it from the editor. $ grep mbedtls godot.trace openat(AT_FDCWD, "/lib64/libmbedtls.so.12", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib64/libmbedtls.so.2.16.6", O_RDONLY) = 3 openat(AT_FDCWD, "/usr/lib64/libmbedtls.so.2.16.6", O_RDONLY) = 4 $ grep -i tls godot.trace shows a lot of messages like this: clone(child_stack=0x7fb7e9539ef0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[32422], tls=0x7fb7e953a700, child_tidptr=0x7fb7e953a9d0) = 32422 No idea if any of this intersects the area(s) concerned in the issues reported upstream.
Yeah that's a good test, any download made from Godot uses HTTPS and thus mbedTLS.
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
Thanks Rémi - validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
What is the protocol for validating a QA update flagged as MGA7TOO? What about Cauldron?
Whiteboard: MGA7TOO MGA7-64-OK => MGA7-64-OKVersion: Cauldron => 7
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0265.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED