Bug 29866 - mbedtls new security issues fixed in 2.16.12 (including CVE-2021-44732)
Summary: mbedtls new security issues fixed in 2.16.12 (including CVE-2021-44732)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-01-11 00:35 CET by David Walser
Modified: 2022-12-27 16:42 CET (History)
5 users (show)

See Also:
Source RPM: mbedtls-2.16.11-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-01-11 00:35:22 CET
Fedora has issued an advisory today (January 10):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ITH635OB2ZROZMEXLTAU3K7POAVUF5JY/

Upstream advisory from December 14:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12

The issues are fixed upstream in 2.16.12 (released December 17):
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.12

Mageia 8 is also affected.
David Walser 2022-01-11 00:35:39 CET

Whiteboard: (none) => MGA8TOO

Comment 1 Rémi Verschelde 2022-01-11 10:10:52 CET
On it. For the record mbedtls 2.16.12 is the final release in the 2.16 LTS branch, so we'll have to move to their newly released 2.28 LTS branch (in Cauldron first, and then see if we can afford the switch in Mageia 8 or should do what we can to backport security fixes - depends on what other distros do I guess).

Status: NEW => ASSIGNED

Comment 2 Rémi Verschelde 2022-01-11 10:15:27 CET
mbedtls-2.16.12-1.mga9 pushed to Cauldron.

Update candidate for Mageia 8:

Advisory:
=========

Updated mbedtls packages fix security vulnerabilities

  This update provides Mbed TLS 2.16.12, with a number of bug fixes, including
  security fixes.

  See the referenced release notes and advisory for details.

References:

 - https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.12
 - https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12

SRPM in core/updates_testing:
=============================

mbedtls-2.16.12-1.mga8

RPMs in core/updates_testing:
=============================

mbedtls-2.16.12-1.mga8
lib64mbedtls-devel-2.16.12-1.mga8
lib64mbedcrypto3-2.16.12-1.mga8
lib64mbedtls12-2.16.12-1.mga8
lib64mbedx509_0-2.16.12-1.mga8

Testing procedure:
==================

https://bugs.mageia.org/show_bug.cgi?id=26924#c1

Assignee: rverschelde => qa-bugs
Version: Cauldron => 8
CC: (none) => rverschelde
Whiteboard: MGA8TOO => (none)

Comment 3 Len Lawrence 2022-01-11 19:27:53 CET
mga8, x64
Before updating:
The mbedtls packages were already installed but running godot failed with an error saying that the video driver did not support any of the supported openGL drivers.  The GTX 1080Ti graphics card uses the nvidia 470.86 driver and has worked before in this context.  This is a separate issue from mbedtls so a move to another machine is in order.  Later.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2022-01-11 20:25:07 CET
OK.  GLX is working on another nvidia machine.
Installed and updated mbedtls packages.  Installed hiawatha and godot.
Replaced httpd by hiawatha and checked the  welcome message at localhost in a browser - "It works!"

Visited a secure banking site, supplied credentials and downloaded accounts information.  No problems.

Ran godot from the cli.  Interface appeared.  Created a user project, browsed asset library and  downloaded and installed three tools without issue.
Viewed the res://assets/ in the FileSystem section and found the new tools listed under addons.
Played about with the gui but with no training had to back out.

It all looks good as far as it goes.

Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2022-01-11 23:01:28 CET
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-01-14 22:02:18 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2022-01-15 09:11:24 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0017.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 7 David Walser 2022-12-27 16:42:44 CET
This update also fixed CVE-2021-43666:
https://www.debian.org/lts/security/2022/dla-3249

Note You need to log in before you can comment on or make changes to this bug.