openSUSE has issued an advisory on December 31: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XEUHNTIZA3D3WTCE7CPPFSSECHSABXIG/ The issue is fixed upstream in 2.28.2: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2 The upstream commit that fixed the issue is referenced in the SUSE bug: https://bugzilla.suse.com/show_bug.cgi?id=1206576
Status comment: (none) => Patches available from upstream and openSUSE
I believe the CVE was badly written as it doesn't specify the first vulnerable version. The 2.16.x branch doesn't seem to have the MBEDTLS_SSL_DTLS_CONNECTION_ID code at all so it's not relevant for it.
Status: NEW => RESOLVEDResolution: (none) => INVALID
Fedora has issued an advisory for this on January 11: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4BR7ZCVKLPGCOEEALUHZMFHXQHR6S4QL/ Is 2.16.x also not affected by CVE-2022-46392?
Summary: mbedtls new security issue CVE-2022-46393 => mbedtls new security issues CVE-2022-4639[23]
CVE-2022-46392 seems applicable. Debian marks their versions as vulnerable: https://security-tracker.debian.org/tracker/CVE-2022-46392 They postponed fixing this as a "minor issue". Upstream/the CVE don't give much information on which commit fixed it, but going through the logs of the 2.28 branch I identified this patch: https://github.com/Mbed-TLS/mbedtls/commit/99ac73d9632c17f0412335d784ee9138028e03e8 It doesn't cherry-pick trivially but the conflicts might not be hard to solve.
Resolution: INVALID => (none)Summary: mbedtls new security issues CVE-2022-4639[23] => mbedtls 2.16.12 new security issue CVE-2022-46392 (CVE-2022-46393 not applicable)Severity: major => normalStatus: RESOLVED => REOPENED
Mageia 8 EOL
CC: (none) => nicolas.salgueroResolution: (none) => OLDStatus: REOPENED => RESOLVED