Fedora has issued an advisory today (January 10): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ITH635OB2ZROZMEXLTAU3K7POAVUF5JY/ Upstream advisory from December 14: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12 The issues are fixed upstream in 2.16.12 (released December 17): https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.12 Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
On it. For the record mbedtls 2.16.12 is the final release in the 2.16 LTS branch, so we'll have to move to their newly released 2.28 LTS branch (in Cauldron first, and then see if we can afford the switch in Mageia 8 or should do what we can to backport security fixes - depends on what other distros do I guess).
Status: NEW => ASSIGNED
mbedtls-2.16.12-1.mga9 pushed to Cauldron. Update candidate for Mageia 8: Advisory: ========= Updated mbedtls packages fix security vulnerabilities This update provides Mbed TLS 2.16.12, with a number of bug fixes, including security fixes. See the referenced release notes and advisory for details. References: - https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.12 - https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12 SRPM in core/updates_testing: ============================= mbedtls-2.16.12-1.mga8 RPMs in core/updates_testing: ============================= mbedtls-2.16.12-1.mga8 lib64mbedtls-devel-2.16.12-1.mga8 lib64mbedcrypto3-2.16.12-1.mga8 lib64mbedtls12-2.16.12-1.mga8 lib64mbedx509_0-2.16.12-1.mga8 Testing procedure: ================== https://bugs.mageia.org/show_bug.cgi?id=26924#c1
Assignee: rverschelde => qa-bugsVersion: Cauldron => 8CC: (none) => rverscheldeWhiteboard: MGA8TOO => (none)
mga8, x64 Before updating: The mbedtls packages were already installed but running godot failed with an error saying that the video driver did not support any of the supported openGL drivers. The GTX 1080Ti graphics card uses the nvidia 470.86 driver and has worked before in this context. This is a separate issue from mbedtls so a move to another machine is in order. Later.
CC: (none) => tarazed25
OK. GLX is working on another nvidia machine. Installed and updated mbedtls packages. Installed hiawatha and godot. Replaced httpd by hiawatha and checked the welcome message at localhost in a browser - "It works!" Visited a secure banking site, supplied credentials and downloaded accounts information. No problems. Ran godot from the cli. Interface appeared. Created a user project, browsed asset library and downloaded and installed three tools without issue. Viewed the res://assets/ in the FileSystem section and found the new tools listed under addons. Played about with the gui but with no training had to back out. It all looks good as far as it goes.
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0017.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
This update also fixed CVE-2021-43666: https://www.debian.org/lts/security/2022/dla-3249