Summary: | <net-libs/mbedtls-{2.16.11,2.27.0}: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | blueness, jsmolic, sam |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://github.com/gentoo/gentoo/pull/22637 | ||
Whiteboard: | B4 [glsa+] | ||
Package list: |
net-libs/mbedtls-2.16.11
net-libs/mbedtls-2.27.0-r1
|
Runtime testing required: | --- |
Description
John Helmert III
2021-07-09 19:11:35 UTC
Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Please proceed with stabilization when ready. Unable to check for sanity:
> no match for package: net-libs/mbedtls-2.27.0
All sanity-check issues have been resolved 2.16.11 and 2.27.0-r1 are ready. x86 done arm done amd64 done Looking good on ppc. mbedtls-2.27.0-r1 fails tests like on amd64 (bug #807154). # cat mbedtls-801376.report USE tests started on Mo 23. Aug 19:48:17 CEST 2021 FEATURES=' test' USE='' succeeded for =net-libs/mbedtls-2.16.11 USE='doc -havege programs -static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc -havege programs static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc havege -programs -static-libs threads -zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc -havege programs -static-libs threads -zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc havege -programs -static-libs -threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc -havege -programs static-libs -threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='-doc havege programs static-libs -threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='-doc -havege -programs -static-libs threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='-doc -havege programs -static-libs threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc -havege programs -static-libs threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc -havege -programs static-libs threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc havege -programs static-libs threads zlib' succeeded for =net-libs/mbedtls-2.16.11 FEATURES=' test' failed for =net-libs/mbedtls-2.27.0-r1 USE='-doc havege -programs -static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='-doc havege -programs static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='doc havege -programs static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='doc -havege programs -static-libs threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='-doc havege programs -static-libs threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='-doc -havege -programs static-libs threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='-doc havege -programs static-libs threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='doc havege programs static-libs threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='doc havege programs -static-libs -threads zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='doc -havege -programs static-libs -threads zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='doc havege -programs static-libs -threads zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='-doc havege programs -static-libs threads zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 revdep tests started on Mo 23. Aug 21:29:07 CEST 2021 FEATURES=' test' USE='mbedtls ssl' succeeded for net-proxy/privoxy FEATURES=' test' USE='-openssl mbedtls' succeeded for net-vpn/openvpn FEATURES=' test' USE='mbedtls ssl' succeeded for net-libs/libwebsockets FEATURES=' test' USE='-gcrypt mbedtls' succeeded for net-libs/libssh2 FEATURES=' test' USE='mbedtls ssl' succeeded for net-misc/curl FEATURES=' test' USE='-gnutls mbedtls ssl tools' succeeded for dev-libs/libzip FEATURES=' test' USE='mbedtls' succeeded for www-servers/lighttpd FEATURES=' test' USE='mbedtls' succeeded for dev-libs/libevent FEATURES=' test' USE='ssl' succeeded for www-client/dillo FEATURES=' test' USE='mbedtls' succeeded for net-libs/libssh FEATURES=' test' USE='mbedtls ssl' succeeded for net-misc/curl FEATURES=' test' USE='mbedtls' succeeded for dev-libs/libevent FEATURES=' test' USE='mbedtls ssl' succeeded for net-proxy/privoxy FEATURES=' test' USE='mbedtls ssl' succeeded for net-libs/libwebsockets FEATURES=' test' USE='mbedtls' succeeded for net-p2p/transmission FEATURES=' test' USE='mbedtls' succeeded for www-servers/lighttpd FEATURES=' test' USE='ssl' succeeded for www-client/dillo FEATURES=' test' USE='-gcrypt mbedtls' succeeded for net-libs/libssh2 FEATURES=' test' USE='-openssl mbedtls' succeeded for net-vpn/openvpn FEATURES=' test' USE='-gnutls mbedtls ssl tools' succeeded for dev-libs/libzip Looking good on ppc64. # cat mbedtls-801376.report USE tests started on Fr 27. Aug 15:35:08 CEST 2021 FEATURES=' test' USE='' succeeded for =net-libs/mbedtls-2.16.11 USE='doc -havege programs static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc havege programs static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc havege -programs -static-libs threads -zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='-doc -havege programs static-libs threads -zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='-doc -havege programs -static-libs -threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc -havege -programs static-libs -threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc -havege programs static-libs -threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc havege -programs -static-libs threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='-doc -havege programs -static-libs threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='-doc havege -programs static-libs threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc havege -programs static-libs threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='-doc havege programs static-libs threads zlib' succeeded for =net-libs/mbedtls-2.16.11 FEATURES=' test' failed for =net-libs/mbedtls-2.27.0-r1 USE='-doc havege -programs -static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='doc havege -programs -static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='-doc -havege programs -static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='doc -havege programs -static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='-doc havege programs -static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='doc havege -programs static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='doc -havege programs static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='-doc havege programs static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='-doc -havege -programs static-libs threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='-doc havege -programs -static-libs -threads zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='-doc -havege -programs -static-libs threads zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='doc havege programs static-libs threads zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 revdep tests started on Fr 27. Aug 17:48:01 CEST 2021 FEATURES=' test' USE='mbedtls ssl' succeeded for net-proxy/privoxy FEATURES=' test' USE='mbedtls' succeeded for net-p2p/transmission FEATURES=' test' USE='-gnutls mbedtls ssl tools' succeeded for dev-libs/libzip FEATURES=' test' USE='-openssl mbedtls' succeeded for net-vpn/openvpn FEATURES=' test' USE='ssl' succeeded for www-client/dillo FEATURES=' test' USE='mbedtls' succeeded for net-libs/libssh FEATURES=' test' USE='-gcrypt mbedtls' succeeded for net-libs/libssh2 FEATURES=' test' USE='mbedtls ssl' succeeded for net-misc/curl FEATURES=' test' USE='mbedtls' succeeded for dev-libs/libevent FEATURES=' test' USE='mbedtls' succeeded for www-servers/lighttpd FEATURES=' test' USE='mbedtls ssl' succeeded for net-misc/curl FEATURES=' test' USE='-openssl mbedtls' succeeded for net-vpn/openvpn FEATURES=' test' USE='mbedtls' succeeded for dev-libs/libevent FEATURES=' test' USE='mbedtls' succeeded for app-crypt/tpm2-tss FEATURES=' test' USE='-gnutls mbedtls ssl tools' succeeded for dev-libs/libzip FEATURES=' test' USE='mbedtls' succeeded for net-libs/libssh FEATURES=' test' USE='ssl' succeeded for www-client/dillo FEATURES=' test' USE='mbedtls' succeeded for www-servers/lighttpd FEATURES=' test' USE='mbedtls ssl' succeeded for net-proxy/privoxy FEATURES=' test' USE='-gcrypt mbedtls' succeeded for net-libs/libssh2 ppc64 done ppc done (In reply to ernsteiswuerfel from comment #16) > Looking good on ppc64. > Thank you for both! arm64 done Unable to check for sanity:
> no match for package: net-libs/mbedtls-2.16.11
All sanity-check issues have been resolved All sanity-check issues have been resolved sparc stable. Maintainer(s), please cleanup. Security, please vote. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1cbba573f8561a68fc5ffd554ae72526efa14fd7 commit 1cbba573f8561a68fc5ffd554ae72526efa14fd7 Author: Jakov Smolić <jsmolic@gentoo.org> AuthorDate: 2021-10-19 19:29:22 +0000 Commit: Anthony G. Basile <blueness@gentoo.org> CommitDate: 2021-10-19 19:39:34 +0000 net-libs/mbedtls: Security cleanup Bug: https://bugs.gentoo.org/801376 Signed-off-by: Jakov Smolić <jsmolic@gentoo.org> Signed-off-by: Anthony G. Basile <blueness@gentoo.org> net-libs/mbedtls/Manifest | 2 - net-libs/mbedtls/mbedtls-2.16.10.ebuild | 100 ------------------------------- net-libs/mbedtls/mbedtls-2.26.0.ebuild | 101 -------------------------------- 3 files changed, 203 deletions(-) Thank you! Unable to check for sanity:
> no match for package: net-libs/mbedtls-2.16.11
GLSA request filed. Still need CVEs, I guess. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=f524f5fa47d9d739280d4530623a93084918da39 commit f524f5fa47d9d739280d4530623a93084918da39 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-01-11 05:19:06 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-01-11 05:22:06 +0000 [ GLSA 202301-08 ] Mbed TLS: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/730752 Bug: https://bugs.gentoo.org/740108 Bug: https://bugs.gentoo.org/764317 Bug: https://bugs.gentoo.org/778254 Bug: https://bugs.gentoo.org/801376 Bug: https://bugs.gentoo.org/829660 Bug: https://bugs.gentoo.org/857813 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202301-08.xml | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) GLSA released, all done! |