mbedtls 2.16.8 was released with three security advisories: - https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-1 (CVE-2020-16150) - https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-2 - https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-3 Already pushed to Cauldron. This issue is for the Mageia 7 update.
Advisory: ========= Updated mbedtls packages fix security vulnerabilities mbedtls 2.16.8 fixes three security vulnerabilities which could affect earlier releases: Local side channel attack on classical CBC decryption in (D)TLS (CVE-2020-16150). Local side channel attack on RSA and static Diffie-Hellman. Protocol weakness in DHE-PSK key exchange. References: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16150 - https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-1 - https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-2 - https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-3 SRPM in core/updates_testing: ============================= mbedtls-2.16.8-1.mga7 RPMs in core/updates_testing: ============================= mbedtls-2.16.8-1.mga7 lib64mbedtls-devel-2.16.8-1.mga7 lib64mbedcrypto3-2.16.8-1.mga7 lib64mbedtls12-2.16.8-1.mga7 lib64mbedx509_0-2.16.8-1.mga7 Testing procedure: ================== https://bugs.mageia.org/show_bug.cgi?id=26924#c1 Note: an update candidate will be pushed soon for `godot`, in case you want to test both at once.
CC: (none) => rverscheldeKeywords: (none) => has_procedureAssignee: rverschelde => qa-bugs
(In reply to Rémi Verschelde from comment #1) > Note: an update candidate will be pushed soon for `godot`, in case you want > to test both at once. Here it is: bug 27283.
MGA7-64 on Lenovo B50 No installation issues. A disaster trying to test this with the new version of godot, see bug 27282. Ref bug 26924 for other test. Installed hiawatha, then # systemctl stop httpd # systemctl enable hiawatha Created symlink /etc/systemd/system/multi-user.target.wants/hiawatha.service → /usr/lib/systemd/system/hiawatha.service. # systemctl start hiawatha # systemctl status hiawatha ● hiawatha.service - Hiawatha Web Server Loaded: loaded (/usr/lib/systemd/system/hiawatha.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2020-09-19 13:49:43 CEST; 14s ago Process: 7906 ExecStartPre=/usr/sbin/wigwam (code=exited, status=0/SUCCESS) Process: 7907 ExecStartPre=/usr/sbin/hiawatha -k (code=exited, status=0/SUCCESS) Main PID: 7908 (hiawatha) Tasks: 27 (limit: 4915) Memory: 2.2M CGroup: /system.slice/hiawatha.service └─7908 /usr/sbin/hiawatha -d Sep 19 13:49:43 mach5.hviaene.thuis systemd[1]: Starting Hiawatha Web Server... Sep 19 13:49:43 mach5.hviaene.thuis hiawatha[7906]: Using /etc/hiawatha Sep 19 13:49:43 mach5.hviaene.thuis hiawatha[7906]: Reading hiawatha.conf Sep 19 13:49:43 mach5.hviaene.thuis hiawatha[7906]: No non-fatal errors found in the Hiawatha configuration. Sep 19 13:49:43 mach5.hviaene.thuis hiawatha[7907]: Using /etc/hiawatha Sep 19 13:49:43 mach5.hviaene.thuis hiawatha[7907]: Reading hiawatha.conf Sep 19 13:49:43 mach5.hviaene.thuis hiawatha[7907]: Reading mimetype.conf Sep 19 13:49:43 mach5.hviaene.thuis hiawatha[7907]: Configuration OK. Sep 19 13:49:43 mach5.hviaene.thuis systemd[1]: Started Hiawatha Web Server. Pointing firefox to localhost gives "It works" and it does not interfere with using my usual banking page. For me it is OK. just waiting whether someone else has more success with godot
CC: (none) => herman.viaene
OK following godot.
Whiteboard: (none) => MGA7-64-OK
Validated update Advisory and Packages in Comment 2.
Keywords: (none) => advisory, validated_updateCC: (none) => ouaurelien, sysadmin-bugs
Fedora has issued an advisory for this on September 16: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5OSOFUD6UTGTDDSQRS62BPXDU52I6PUA/
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0370.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
CVE-2020-36476 also fixed in this update: https://www.debian.org/lts/security/2021/dla-2826
Summary: mbedtls new security issues fixed in 2.16.8 (incl. CVE-2020-16150) => mbedtls new security issues fixed in 2.16.8 (incl. CVE-2020-16150 and CVE-2020-36476)
This update also fixed CVE-2020-3642[1-6]: https://www.debian.org/lts/security/2022/dla-3249