Long overdue, sorry for the delay (2.28.3 -> 2.28.7). Advisory: ========= Updated mbedtls packages fix security vulnerabilities This update brings the mbedtls packages from 2.28.3 to the latest 2.28.7 release in the LTS branch, fixing a number of bugs as well the following security vulnerabilities: - Buffer overread in TLS stream cipher suites. - Timing side channel in private key RSA operations. - Buffer overflow in mbedtls_x509_set_extension. See the linked release notes for details. References: - https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.4 - https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.5 - https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.6 - https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.7 - https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2023-10-1/ - https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/ - https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-2/ SRPM in core/updates_testing: ============================= mbedtls-2.28.7-1.mga9 RPMs in core/updates_testing: ============================= lib64mbedcrypto7-2.28.7-1.mga9 lib64mbedtls14-2.28.7-1.mga9 lib64mbedx509_1-2.28.7-1.mga9 lib64mbedtls-devel-2.28.7-1.mga9 mbedtls-2.28.7-1.mga9
> - https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.5 Not critical, but make that one: > - https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-2.28.5
URL: (none) => https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/ https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-2/https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.4 https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.5 https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-2.28.5 https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.6 https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.7 https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2023-10-1/CC: (none) => marja11
(In reply to Rémi Verschelde from comment #1) > > - https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.5 > > Not critical, but make that one: > > > - https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-2.28.5 Advisory uploaded with that correction.
Keywords: (none) => advisory
Mageia9, x86_64 Installed the core packages then updated them from updates-testing. Referred to bug 29234 for testing. Reproducers for the vulnerabilities not available. Installed godot and ran it under strace. Brought up the blender scene creation gui, backed out, then created a dummy project, and downloaded some files from assetlib. Closed down. $ grep mbedtls godot.trace openat(AT_FDCWD, "/usr/lib64/libmbedtls.so.14", O_RDONLY|O_CLOEXEC) = 3 $ grep crypto godot.trace openat(AT_FDCWD, "/usr/lib64/libmbedcrypto.so.7", O_RDONLY|O_CLOEXEC) = 3 $ grep x509 godot.trace openat(AT_FDCWD, "/usr/lib64/libmbedx509.so.1", O_RDONLY|O_CLOEXEC) = 3 As far as this goes the game engine functions and opens the libraries. Giving this an OK for 64-bits.
CC: (none) => tarazed25Whiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0037.html
Status: NEW => RESOLVEDResolution: (none) => FIXED