Fedora has issued an advisory on October 30:
Additionally, upstream has issued an advisory on July 11:
The issues are fixed upstream in 2.28.1:
Mageia 8 is also affected.
Fixed upstream in 2.28.1Whiteboard:
Submitted 2.28.1-1.mga9 to Cauldron.
For Mageia 8, it seems like the vulnerabilities might not be relevant for the previous 2.16.x LTS branch we're using.
For CVE-2021-45450 and CVE-2021-45451, Debian claims that the vulnerable code was introduced later:
Both are indeed vulnerabilities in `library/psa_crypto.c` which doesn't exist in Mageia 8's 2.16.12 (and I don't find corresponding code in other files).
For CVE-2022-35409, Debian says their 2.16.x packages are vulnerable: https://security-tracker.debian.org/tracker/CVE-2022-35409
That seems to be the case indeed (at least the affected code exists). Debian lists a ton of related commits but most are documentation, debug code or test cases. The actual vulnerability fix seems to be https://github.com/Mbed-TLS/mbedtls/commit/e5af9fabf7d68e3807b6ea78792794b8352dbba2
So I've backported this trivial patch to 2.16.12 for Mageia 8.
Advisory in next comment.
(As described above, the Mageia 8 update only fixes CVE-2022-35409, the other CVEs are not applicable as there's no PSA support in 2.16.x.)
Updated mbedtls packages fix security vulnerability
An unauthenticated remote host could send an invalid ClientHello message in
which the declared length of the cookie extends past the end of the message.
A DTLS server with MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled would read past
the end of the message up to the declared length of the cookie. This could
cause a buffer overread of up to 255 bytes on the heap in vulnerable DTLS
servers, which may lead to a crash or to information disclosure via the
cookie check function (CVE-2022-35409).
This issue has been patched, backporting a fix from upstream's 2.28.0 release.
SRPM in mga8 core/updates_testing:
RPMs in mga8 core/updates_testing:
mbedtls new security issues CVE-2021-4545 and CVE-2022-35409 =>
mbedtls new security issue CVE-2022-35409Whiteboard:
Fixed upstream in 2.28.1 =>
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Followed test from bug 29866, installed hiawatha and godot.
Made sure httpd is not running, then
# systemctl -l start hiawatha
point browser to localhost and get a nice page "
Congratulations! The Hiawatha webserver has successfully been installed on this system."
Started godot and could download some stuff, but as I have no affinity with games, I left it at that.
Good enough for me.
Validating. Advisory in Comment 2.
An update for this issue has been pushed to the Mageia Updates repository.