Looks like I missed 2.16.10, and 2.16.11 was just released. Advisory: ========= Updated mbedtls packages fix security vulnerabilities This update provides Mbed TLS 2.16.11, with a number of bug fixes, including security fixes. The intermediate version 2.16.10 are included security fixes. See the referenced release notes and advisories for details. References: - https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-1 - https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-2 - https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.10 - https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.11 SRPM in core/updates_testing: ============================= mbedtls-2.16.11-1.mga8 RPMs in core/updates_testing: ============================= mbedtls-2.16.11-1.mga9 lib64mbedtls-devel-2.16.11-1.mga9 lib64mbedcrypto3-2.16.11-1.mga9 lib64mbedtls12-2.16.11-1.mga9 lib64mbedx509_0-2.16.11-1.mga9 Testing procedure: ================== https://bugs.mageia.org/show_bug.cgi?id=26924#c1
Keywords: (none) => has_procedure
Corrected packages list: Reassigning as a security bug report. Updated packages in core/updates_testing: ======================== lib(64)mbedcrypto3-2.16.11-1.mga8 lib(64)mbedtls-devel-2.16.11-1.mga8 lib(64)mbedtls12-2.16.11-1.mga8 lib(64)mbedx509_0-2.16.11-1.mga8 mbedtls-2.16.11-1.mga8 SRPMs from 'core-updates_testing' ======================== mbedtls-2.16.11-1.mga8.src.rpm
Component: RPM Packages => SecurityCC: (none) => ouaurelienQA Contact: (none) => security
mga8, x86_64 The security problems relate to "side channel attacks" - not within our scope to reproduce. Installed the six core packages then updated them. Elected to use the godot test procedure, starting a project then finding templates and browsing the assetlib and installing a couple of modules. $ grep mbedtls godot.trace openat(AT_FDCWD, "/lib64/libmbedtls.so.12", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib64/libmbedtls.so.2.16.11", O_RDONLY) = 4 openat(AT_FDCWD, "/usr/lib64/libmbedtls.so.2.16.11", O_RDONLY) = 6 Searching for "tls" in the trace file turns up entries like: clone(child_stack=0x7f9a0061fe30, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[2399179], tls=0x7f9a00620640, child_tidptr=0x7f9a00620910) = 2399179 Giving this an OK for 64-bits.
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 0, with correct srpm in Comment 1..
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0361.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
One of the issues fixed in 2.16.10 has a CVE: https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.10 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EYJW7HAW3TDV2YMDFYXP3HD6WRQRTLJW/
Summary: mbedtls new security issues fixed in 2.16.10 and 2.16.11 => mbedtls new security issues fixed in 2.16.10 and 2.16.11 (including CVE-2021-24119)