Bug 27282 - mbedtls new security issues fixed in 2.16.8 (incl. CVE-2020-16150 and CVE-2020-36476)
Summary: mbedtls new security issues fixed in 2.16.8 (incl. CVE-2020-16150 and CVE-202...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2020-09-17 10:52 CEST by Rémi Verschelde
Modified: 2022-12-27 16:46 CET (History)
4 users (show)

See Also:
Source RPM: mbedtls-2.16.7-1.mga7
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Rémi Verschelde 2020-09-17 10:52:07 CEST 
mbedtls 2.16.8 was released with three security advisories:

- https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-1 (CVE-2020-16150)
- https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-2
- https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-3

Already pushed to Cauldron.

This issue is for the Mageia 7 update.
Comment 1 Rémi Verschelde 2020-09-17 11:00:18 CEST 
Advisory:
=========

Updated mbedtls packages fix security vulnerabilities

  mbedtls 2.16.8 fixes three security vulnerabilities which could affect earlier
  releases:

  Local side channel attack on classical CBC decryption in (D)TLS
  (CVE-2020-16150).

  Local side channel attack on RSA and static Diffie-Hellman.

  Protocol weakness in DHE-PSK key exchange.

References:

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16150
- https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-1
- https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-2
- https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-3

SRPM in core/updates_testing:
=============================

mbedtls-2.16.8-1.mga7

RPMs in core/updates_testing:
=============================

mbedtls-2.16.8-1.mga7
lib64mbedtls-devel-2.16.8-1.mga7
lib64mbedcrypto3-2.16.8-1.mga7
lib64mbedtls12-2.16.8-1.mga7
lib64mbedx509_0-2.16.8-1.mga7

Testing procedure:
==================

https://bugs.mageia.org/show_bug.cgi?id=26924#c1

Note: an update candidate will be pushed soon for `godot`, in case you want to test both at once.

CC: (none) => rverschelde
Keywords: (none) => has_procedure
Assignee: rverschelde => qa-bugs

Comment 2 Rémi Verschelde 2020-09-17 12:52:47 CEST 
(In reply to Rémi Verschelde from comment #1)
> Note: an update candidate will be pushed soon for `godot`, in case you want
> to test both at once.

Here it is: bug 27283.
Comment 3 Herman Viaene 2020-09-19 13:56:48 CEST 
MGA7-64 on Lenovo B50
No installation issues.
A disaster trying to test this with the new version of godot, see bug 27282.
Ref bug 26924 for other test. Installed hiawatha, then
# systemctl stop httpd

# systemctl enable hiawatha
Created symlink /etc/systemd/system/multi-user.target.wants/hiawatha.service → /usr/lib/systemd/system/hiawatha.service.

# systemctl start hiawatha

# systemctl status hiawatha
● hiawatha.service - Hiawatha Web Server
   Loaded: loaded (/usr/lib/systemd/system/hiawatha.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-09-19 13:49:43 CEST; 14s ago
  Process: 7906 ExecStartPre=/usr/sbin/wigwam (code=exited, status=0/SUCCESS)
  Process: 7907 ExecStartPre=/usr/sbin/hiawatha -k (code=exited, status=0/SUCCESS)
 Main PID: 7908 (hiawatha)
    Tasks: 27 (limit: 4915)
   Memory: 2.2M
   CGroup: /system.slice/hiawatha.service
           └─7908 /usr/sbin/hiawatha -d

Sep 19 13:49:43 mach5.hviaene.thuis systemd[1]: Starting Hiawatha Web Server...
Sep 19 13:49:43 mach5.hviaene.thuis hiawatha[7906]: Using /etc/hiawatha
Sep 19 13:49:43 mach5.hviaene.thuis hiawatha[7906]: Reading hiawatha.conf
Sep 19 13:49:43 mach5.hviaene.thuis hiawatha[7906]: No non-fatal errors found in the Hiawatha configuration.
Sep 19 13:49:43 mach5.hviaene.thuis hiawatha[7907]: Using /etc/hiawatha
Sep 19 13:49:43 mach5.hviaene.thuis hiawatha[7907]: Reading hiawatha.conf
Sep 19 13:49:43 mach5.hviaene.thuis hiawatha[7907]: Reading mimetype.conf
Sep 19 13:49:43 mach5.hviaene.thuis hiawatha[7907]: Configuration OK.
Sep 19 13:49:43 mach5.hviaene.thuis systemd[1]: Started Hiawatha Web Server.

Pointing firefox to localhost gives "It works" and it does not interfere with using my usual banking page.

For me it is OK. just waiting whether someone else has more success with godot

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2020-09-21 14:50:45 CEST 
OK following godot.

Whiteboard: (none) => MGA7-64-OK

Comment 5 Aurelien Oudelet 2020-09-21 17:45:14 CEST 
Validated update
Advisory and Packages in Comment 2.

Keywords: (none) => advisory, validated_update
CC: (none) => ouaurelien, sysadmin-bugs

Comment 6 David Walser 2020-09-22 23:36:57 CEST 
Fedora has issued an advisory for this on September 16:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5OSOFUD6UTGTDDSQRS62BPXDU52I6PUA/
Comment 7 Mageia Robot 2020-09-27 22:07:50 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0370.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 8 David Walser 2021-11-25 01:05:46 CET 
CVE-2020-36476 also fixed in this update:
https://www.debian.org/lts/security/2021/dla-2826

Summary: mbedtls new security issues fixed in 2.16.8 (incl. CVE-2020-16150) => mbedtls new security issues fixed in 2.16.8 (incl. CVE-2020-16150 and CVE-2020-36476)

Comment 9 David Walser 2022-12-27 16:46:17 CET 
This update also fixed CVE-2020-3642[1-6]:
https://www.debian.org/lts/security/2022/dla-3249
Note You need to log in before you can comment on or make changes to this bug.