Fedora has issued an advisory today (December 18): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LO6LIL4J4QQPO2NYSTI6P3PQ766CJCIF/ 2.16.9 was released on Decmeber 11 and fixes 4 security issues: https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.9 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Fixed in Cauldron with mbedtls-2.16.9-1.mga8. Update for Mageia 7: Advisory: ========= Updated mbedtls packages fix security vulnerabilities This update provides security bug fixes and minor enhancements. Security fixes: Limit the size of calculations performed by mbedtls_mpi_exp_mod to MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when generating Diffie-Hellman key pairs. A failure of the random generator was ignored in mbedtls_mpi_fill_random(), which is how most uses of randomization in asymmetric cryptography are implemented. This could cause failures or the silent use of non-random values. Fix a compliance issue whereby the library did not check the tag on the algorithm parameters (only the size) when comparing the signature in the description part of the cert to the real signature. Zeroising of local buffers and variables which are used for calculations in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(), mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process() functions to erase sensitive data from memory. References: - https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.9 SRPM in core/updates_testing: ============================= mbedtls-2.16.9-1.mga7 RPMs in core/updates_testing: ============================= mbedtls-2.16.9-1.mga7 lib64mbedtls12-2.16.9-1.mga7 lib64mbedx509_0-2.16.9-1.mga7 lib64mbedcrypto3-2.16.9-1.mga7 lib64mbedtls-devel-2.16.9-1.mga7 Testing procedure: ================== https://bugs.mageia.org/show_bug.cgi?id=26924#c1
Whiteboard: MGA7TOO => (none)Assignee: rverschelde => qa-bugsVersion: Cauldron => 7Keywords: (none) => has_procedure
(And thanks David for the report!)
mga7, x64 Updated the five packages. Invoked the godot editor and startyed a new game project in an empty godot folder. Browsed the assetlib, downloaded and installed 2D Shapes and Camera Shake. Hoping that is sufficient.
Whiteboard: (none) => MGA7-64-OKCC: (none) => tarazed25
Validating. Advisory in Comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory pushed to SVN.
Source RPM: mbedtls-2.16.8-1.mga8.src.rpm => mbedtls-2.16.8-1.mga7.src.rpmKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0469.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
One of these issues has CVE-2020-10932: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JXL26ADEMUDQB634BGFJBSDD6LVNPAKC/
Summary: mbedtls new security issues fixed upstream in 2.16.9 => mbedtls new security issues fixed upstream in 2.16.9 (including CVE-2020-10932)
CVE-2020-3647[58] also fixed in this update: https://www.debian.org/lts/security/2021/dla-2826
Summary: mbedtls new security issues fixed upstream in 2.16.9 (including CVE-2020-10932) => mbedtls new security issues fixed upstream in 2.16.9 (including CVE-2020-10932 and CVE-2020-3647[58])