Fedora has issued an advisory on October 30: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TALJHOYAYSUJTLN6BYGLO4YJGNZUY74W/ Additionally, upstream has issued an advisory on July 11: https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/mbedtls-security-advisory-2022-07/ The issues are fixed upstream in 2.28.1: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.1 Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 2.28.1Whiteboard: (none) => MGA8TOO
Status: NEW => ASSIGNED
Submitted 2.28.1-1.mga9 to Cauldron. For Mageia 8, it seems like the vulnerabilities might not be relevant for the previous 2.16.x LTS branch we're using. For CVE-2021-45450 and CVE-2021-45451, Debian claims that the vulnerable code was introduced later: https://security-tracker.debian.org/tracker/CVE-2021-45450 https://security-tracker.debian.org/tracker/CVE-2021-45451 Both are indeed vulnerabilities in `library/psa_crypto.c` which doesn't exist in Mageia 8's 2.16.12 (and I don't find corresponding code in other files). For CVE-2022-35409, Debian says their 2.16.x packages are vulnerable: https://security-tracker.debian.org/tracker/CVE-2022-35409 That seems to be the case indeed (at least the affected code exists). Debian lists a ton of related commits but most are documentation, debug code or test cases. The actual vulnerability fix seems to be https://github.com/Mbed-TLS/mbedtls/commit/e5af9fabf7d68e3807b6ea78792794b8352dbba2 So I've backported this trivial patch to 2.16.12 for Mageia 8. Advisory in next comment.
(As described above, the Mageia 8 update only fixes CVE-2022-35409, the other CVEs are not applicable as there's no PSA support in 2.16.x.) Advisory: ========= Updated mbedtls packages fix security vulnerability An unauthenticated remote host could send an invalid ClientHello message in which the declared length of the cookie extends past the end of the message. A DTLS server with MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled would read past the end of the message up to the declared length of the cookie. This could cause a buffer overread of up to 255 bytes on the heap in vulnerable DTLS servers, which may lead to a crash or to information disclosure via the cookie check function (CVE-2022-35409). This issue has been patched, backporting a fix from upstream's 2.28.0 release. References: - https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/mbedtls-security-advisory-2022-07/ - https://github.com/Mbed-TLS/mbedtls/commit/e5af9fabf7d68e3807b6ea78792794b8352dbba2 SRPM in mga8 core/updates_testing: ================================== mbedtls-2.16.12-1.1.mga8 RPMs in mga8 core/updates_testing: ================================== mbedtls-2.16.12-1.1.mga8 lib64mbedcrypto3-2.16.12-1.1.mga8 lib64mbedx509_0-2.16.12-1.1.mga8 lib64mbedtls12-2.16.12-1.1.mga8 lib64mbedtls-devel-2.16.12-1.1.mga8
Assignee: rverschelde => qa-bugsVersion: Cauldron => 8Summary: mbedtls new security issues CVE-2021-4545[01] and CVE-2022-35409 => mbedtls new security issue CVE-2022-35409Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 2.28.1 => (none)
MGA8-64 MATE on Acer Aspire 5253 No installation issues. Followed test from bug 29866, installed hiawatha and godot. Made sure httpd is not running, then # systemctl -l start hiawatha point browser to localhost and get a nice page " Installation successful Congratulations! The Hiawatha webserver has successfully been installed on this system." Started godot and could download some stuff, but as I have no affinity with games, I left it at that. Good enough for me.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0415.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED