33120 – mbedtls new security issue CVE-2024-28960

Bug 33120 - mbedtls new security issue CVE-2024-28960

Summary: mbedtls new security issue CVE-2024-28960

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-04-22 10:24 CEST by Nicolas Salguero
Modified:	2024-04-26 08:48 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	mbedtls-2.28.7-1.mga9.src.rpm
CVE:	CVE-2024-28960
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-04-22 10:24:45 CEST

Fedora has issued an advisory on April 16:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6UZNBMKYEV2J5DI7R4BQGL472V7X3WJY/

The problem is fixed in version 2.28.8.

Mageia 9 is also affected.

Nicolas Salguero 2024-04-22 10:25:12 CEST

CVE: (none) => CVE-2024-28960
Status comment: (none) => Fixed upstream in 2.28.8
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => mbedtls-2.28.7-1.mga9.src.rpm

Comment 1 Nicolas Salguero 2024-04-22 13:23:30 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

An issue was discovered in Mbed TLS 2.18.0 through 2.28.x before 2.28.8 and 3.x before 3.6.0, and Mbed Crypto. The PSA Crypto API mishandles shared memory. (CVE-2024-28960)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6UZNBMKYEV2J5DI7R4BQGL472V7X3WJY/
========================

Updated packages in core/updates_testing:
========================
lib(64)mbedcrypto7-2.28.8-1.mga9
lib(64)mbedtls14-2.28.8-1.mga9
lib(64)mbedtls-devel-2.28.8-1.mga9
lib(64)mbedx509_1-2.28.8-1.mga9
mbedtls-2.28.8-1.mga9

from SRPM:
mbedtls-2.28.8-1.mga9.src.rpm

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 2.28.8 => (none)
Assignee: bugsquad => qa-bugs

katnatek 2024-04-22 21:22:38 CEST

Keywords: (none) => advisory

Comment 2 Herman Viaene 2024-04-23 16:42:14 CEST

MGA9-64  Plasma Wayland on HP-Pavillion.
No installation issues.
Repeated tests as in bug 31058 Comment 3:
hiawatha runs OK and answsers with its webpage, godot let me download some demo and move an object around.
OK for me.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

katnatek 2024-04-24 04:00:07 CEST

CC: (none) => andrewsfarm

Comment 3 Thomas Andrews 2024-04-24 14:03:22 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 Dan Fandrich 2024-04-25 20:21:41 CEST

This was pushed to updates while Bugzilla was down.
https://advisories.mageia.org/MGASA-2024-0146.html

Resolution: (none) => FIXED
CC: (none) => dan
Status: ASSIGNED => RESOLVED

Comment 5 Mageia Robot 2024-04-26 08:48:00 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0146.html

Note You need to log in before you can comment on or make changes to this bug.