The subsequent release 1.2.1 only contains the fix for this, so I've updated to that version. These RPMs are now available in core/updates_testing (core/release in Cauldron) for testing:

libtommath-1.2.1-1.mga10
libtommath-1.2.1-1.mga9
libtommath-1.2.1-1.mga8

Here is a regression test procedure that uses the dropbear server as a test application using libtommath:

$ sudo urpmi dropbear
$ sudo systemctl stop sshd.service
$ sudo systemctl start dropbear.service
$ ssh 127.0.0.1 echo Working
=> should return "Working"

Proposed security advisory text for mga9:

========================
Updated the dropbear package to fix a security vulnerability:

Dropbear is vulnerable to an Integer Overflow vulnerability that could allow attackers to execute arbitrary code and cause a denial of service (DoS).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36328
https://github.com/libtom/libtommath/pull/546

Updated package in core/updates:
libtommath-1.2.1-1.mga9

Source RPMs:
libtommath-1.2.1-1.mga9.src.rpm

Keywords: (none) => advisory, has_procedure
Status: NEW => ASSIGNED
Assignee: dan => qa-bugs

I guessed the update for M8 would be libtommath-1.2.1-1.mga8, but not found in repos.

CC: (none) => herman.viaene

It's currently in core/updates_testing waiting for QA approval.

Error: libtommath-1.2.1-1.mga8 not found in the remote repository

The name should be lib(64)tommath1-1.2.1-1.mga8

MGA8-64 Xfce on Acer Aspire 5253
No installation issues.
Following Comment 1 after installing dropbear
# systemctl stop sshd
# systemctl -l status sshd
● sshd.service - OpenSSH server daemon
     Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
     Active: inactive (dead)
       Docs: man:sshd(8)
             man:sshd_config(5)
# systemctl start dropbear
# systemctl -l status dropbear
● dropbear.service - Dropbear SSH Server Daemon
     Loaded: loaded (/usr/lib/systemd/system/dropbear.service; disabled; vendor preset: disabled)
     Active: active (running) since Sat 2023-09-16 11:38:01 CEST; 22s ago
    Process: 78966 ExecStart=/usr/sbin/dropbear $OPTIONS (code=exited, status=0/SUCCESS)
etc.....

$ ssh 127.0.0.1 echo Working
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:pf4ffjtP8i3NsEkSmBTOUZDNOhoKpc1y4e5LZkdi40o.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
tester8@127.0.0.1's password: 
/usr/bin/xauth:  file /home/tester8/.Xauthority does not exist
Working
[tester8@mach7 Documents]$ ssh 127.0.0.1 echo Working
tester8@127.0.0.1's password: 
Working

So working OK.

Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK

libtommath is the name of the 32 bit version as well as being the name
of the source rpm package.

Dan, please include the list of srpms, the 32 bit list of rpms and the
64 bit list of rpms separately in bug reports.

CC: (none) => davidwhodgins

The current name in M8 repos is now libtommath1, is that wrong then???

x86_64 rpm list
lib64tommath-devel-1.2.1-1.mga9
lib64tommath1-1.2.1-1.mga9

i586 rpm list
libtommath1-1.2.1-1.mga9
libtommath-devel-1.2.1-1.mga9

srpm list
libtommath-1.2.0-4.mga9.src.rpm

Same list for m8 but with mga8.

Tested using sshd on both m8 and m9. Validating.

Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dan, in future please do not add the advisory keyword. It shouldn't be added
until the advisory has been committed to svn. It's now there.
https://svnweb.mageia.org/advisories/32247.adv?view=log

The advisory in svn must be formatted for use by the script that pushes updates
and publishes the advisory to the public.

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0265.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED