Summary: | <net-libs/mbedtls-{2.16.12,2.28.0}: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | blueness |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 829713 | ||
Bug Blocks: |
Description
John Helmert III
2021-12-19 22:15:11 UTC
I just added 2.16.12, 2.28.0 and 3.1.0. I did preliminary testing and they are ready for rapid stabilization. Thank you! (In reply to John Helmert III from comment #0) > https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.12 > https://github.com/ARMmbed/mbedtls/releases/tag/v2.28.0 > https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security- > advisory-2021-12 > > "Security > * Zeroize several intermediate variables used to calculate the expected > value when verifying a MAC or AEAD tag. This hardens the library in > case the value leaks through a memory disclosure vulnerability. For > example, a memory disclosure vulnerability could have allowed a > man-in-the-middle to inject fake ciphertext into a DTLS connection. > * In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back > from the output buffer. This fixes a potential policy bypass or > decryption > oracle vulnerability if the output buffer is in memory that is shared > with > an untrusted application. CVE-2021-45450 > * Fix a double-free that happened after mbedtls_ssl_set_session() or > mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED > (out of memory). After that, calling mbedtls_ssl_session_free() > and mbedtls_ssl_free() would cause an internal session buffer to > be free()'d twice." > > please bump to 2.16.12 and 2.28.0. Please cleanup, thanks! (In reply to John Helmert III from comment #4) > Please cleanup, thanks! clean up done Thanks! CVE-2021-43666 (https://github.com/ARMmbed/mbedtls/issues/5136): A Denial of Service vulnerability exists in mbed TLS 3.0.0 and earlier in the mbedtls_pkcs12_derivation function when an input password's length is 0. GLSA request filed. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=f524f5fa47d9d739280d4530623a93084918da39 commit f524f5fa47d9d739280d4530623a93084918da39 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-01-11 05:19:06 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-01-11 05:22:06 +0000 [ GLSA 202301-08 ] Mbed TLS: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/730752 Bug: https://bugs.gentoo.org/740108 Bug: https://bugs.gentoo.org/764317 Bug: https://bugs.gentoo.org/778254 Bug: https://bugs.gentoo.org/801376 Bug: https://bugs.gentoo.org/829660 Bug: https://bugs.gentoo.org/857813 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202301-08.xml | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) GLSA released, all done! |