Two high severity advisories: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-1 https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-2 And these in 2.27.0 changelog: Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM) private keys and of blinding values for DHM and elliptic curves (ECP) computations. Reported by FlorianF89 in #4245. Fix a potential side channel vulnerability in ECDSA ephemeral key generation. An adversary who is capable of very precise timing measurements could learn partial information about the leading bits of the nonce used for the signature, allowing the recovery of the private key after observing a large number of signature operations. This completes a partial fix in Mbed TLS 2.20.0. 2.16.11 has these: It was possible to configure MBEDTLS_ECP_MAX_BITS to a value that is too small, leading to buffer overflows in ECC operations. Fail the build in such a case. An adversary with access to precise enough information about memory accesses (typically, an untrusted operating system attacking a secure enclave) could recover an RSA private key after observing the victim performing a single private-key operation. Found and reported by Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG. An adversary with access to precise enough timing information (typically, a co-located process) could recover a Curve25519 or Curve448 static ECDH key after inputting a chosen public key and observing the victim performing the corresponding private-key operation. Found and reported by Leila Batina, Lukas Chmielewski, Björn Haase, Niels Samwel and Peter Schwabe.
Package list is empty or all packages have requested keywords.
Please proceed with stabilization when ready.
Unable to check for sanity: > no match for package: net-libs/mbedtls-2.27.0
All sanity-check issues have been resolved
2.16.11 and 2.27.0-r1 are ready.
x86 done
arm done
amd64 done
Looking good on ppc. mbedtls-2.27.0-r1 fails tests like on amd64 (bug #807154). # cat mbedtls-801376.report USE tests started on Mo 23. Aug 19:48:17 CEST 2021 FEATURES=' test' USE='' succeeded for =net-libs/mbedtls-2.16.11 USE='doc -havege programs -static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc -havege programs static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc havege -programs -static-libs threads -zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc -havege programs -static-libs threads -zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc havege -programs -static-libs -threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc -havege -programs static-libs -threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='-doc havege programs static-libs -threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='-doc -havege -programs -static-libs threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='-doc -havege programs -static-libs threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc -havege programs -static-libs threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc -havege -programs static-libs threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc havege -programs static-libs threads zlib' succeeded for =net-libs/mbedtls-2.16.11 FEATURES=' test' failed for =net-libs/mbedtls-2.27.0-r1 USE='-doc havege -programs -static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='-doc havege -programs static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='doc havege -programs static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='doc -havege programs -static-libs threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='-doc havege programs -static-libs threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='-doc -havege -programs static-libs threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='-doc havege -programs static-libs threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='doc havege programs static-libs threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='doc havege programs -static-libs -threads zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='doc -havege -programs static-libs -threads zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='doc havege -programs static-libs -threads zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='-doc havege programs -static-libs threads zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 revdep tests started on Mo 23. Aug 21:29:07 CEST 2021 FEATURES=' test' USE='mbedtls ssl' succeeded for net-proxy/privoxy FEATURES=' test' USE='-openssl mbedtls' succeeded for net-vpn/openvpn FEATURES=' test' USE='mbedtls ssl' succeeded for net-libs/libwebsockets FEATURES=' test' USE='-gcrypt mbedtls' succeeded for net-libs/libssh2 FEATURES=' test' USE='mbedtls ssl' succeeded for net-misc/curl FEATURES=' test' USE='-gnutls mbedtls ssl tools' succeeded for dev-libs/libzip FEATURES=' test' USE='mbedtls' succeeded for www-servers/lighttpd FEATURES=' test' USE='mbedtls' succeeded for dev-libs/libevent FEATURES=' test' USE='ssl' succeeded for www-client/dillo FEATURES=' test' USE='mbedtls' succeeded for net-libs/libssh FEATURES=' test' USE='mbedtls ssl' succeeded for net-misc/curl FEATURES=' test' USE='mbedtls' succeeded for dev-libs/libevent FEATURES=' test' USE='mbedtls ssl' succeeded for net-proxy/privoxy FEATURES=' test' USE='mbedtls ssl' succeeded for net-libs/libwebsockets FEATURES=' test' USE='mbedtls' succeeded for net-p2p/transmission FEATURES=' test' USE='mbedtls' succeeded for www-servers/lighttpd FEATURES=' test' USE='ssl' succeeded for www-client/dillo FEATURES=' test' USE='-gcrypt mbedtls' succeeded for net-libs/libssh2 FEATURES=' test' USE='-openssl mbedtls' succeeded for net-vpn/openvpn FEATURES=' test' USE='-gnutls mbedtls ssl tools' succeeded for dev-libs/libzip
Looking good on ppc64. # cat mbedtls-801376.report USE tests started on Fr 27. Aug 15:35:08 CEST 2021 FEATURES=' test' USE='' succeeded for =net-libs/mbedtls-2.16.11 USE='doc -havege programs static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc havege programs static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc havege -programs -static-libs threads -zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='-doc -havege programs static-libs threads -zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='-doc -havege programs -static-libs -threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc -havege -programs static-libs -threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc -havege programs static-libs -threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc havege -programs -static-libs threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='-doc -havege programs -static-libs threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='-doc havege -programs static-libs threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='doc havege -programs static-libs threads zlib' succeeded for =net-libs/mbedtls-2.16.11 USE='-doc havege programs static-libs threads zlib' succeeded for =net-libs/mbedtls-2.16.11 FEATURES=' test' failed for =net-libs/mbedtls-2.27.0-r1 USE='-doc havege -programs -static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='doc havege -programs -static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='-doc -havege programs -static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='doc -havege programs -static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='-doc havege programs -static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='doc havege -programs static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='doc -havege programs static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='-doc havege programs static-libs -threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='-doc -havege -programs static-libs threads -zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='-doc havege -programs -static-libs -threads zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='-doc -havege -programs -static-libs threads zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 USE='doc havege programs static-libs threads zlib' succeeded for =net-libs/mbedtls-2.27.0-r1 revdep tests started on Fr 27. Aug 17:48:01 CEST 2021 FEATURES=' test' USE='mbedtls ssl' succeeded for net-proxy/privoxy FEATURES=' test' USE='mbedtls' succeeded for net-p2p/transmission FEATURES=' test' USE='-gnutls mbedtls ssl tools' succeeded for dev-libs/libzip FEATURES=' test' USE='-openssl mbedtls' succeeded for net-vpn/openvpn FEATURES=' test' USE='ssl' succeeded for www-client/dillo FEATURES=' test' USE='mbedtls' succeeded for net-libs/libssh FEATURES=' test' USE='-gcrypt mbedtls' succeeded for net-libs/libssh2 FEATURES=' test' USE='mbedtls ssl' succeeded for net-misc/curl FEATURES=' test' USE='mbedtls' succeeded for dev-libs/libevent FEATURES=' test' USE='mbedtls' succeeded for www-servers/lighttpd FEATURES=' test' USE='mbedtls ssl' succeeded for net-misc/curl FEATURES=' test' USE='-openssl mbedtls' succeeded for net-vpn/openvpn FEATURES=' test' USE='mbedtls' succeeded for dev-libs/libevent FEATURES=' test' USE='mbedtls' succeeded for app-crypt/tpm2-tss FEATURES=' test' USE='-gnutls mbedtls ssl tools' succeeded for dev-libs/libzip FEATURES=' test' USE='mbedtls' succeeded for net-libs/libssh FEATURES=' test' USE='ssl' succeeded for www-client/dillo FEATURES=' test' USE='mbedtls' succeeded for www-servers/lighttpd FEATURES=' test' USE='mbedtls ssl' succeeded for net-proxy/privoxy FEATURES=' test' USE='-gcrypt mbedtls' succeeded for net-libs/libssh2
ppc64 done
ppc done
(In reply to ernsteiswuerfel from comment #16) > Looking good on ppc64. > Thank you for both!
arm64 done
Unable to check for sanity: > no match for package: net-libs/mbedtls-2.16.11
sparc stable. Maintainer(s), please cleanup. Security, please vote.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1cbba573f8561a68fc5ffd554ae72526efa14fd7 commit 1cbba573f8561a68fc5ffd554ae72526efa14fd7 Author: Jakov Smolić <jsmolic@gentoo.org> AuthorDate: 2021-10-19 19:29:22 +0000 Commit: Anthony G. Basile <blueness@gentoo.org> CommitDate: 2021-10-19 19:39:34 +0000 net-libs/mbedtls: Security cleanup Bug: https://bugs.gentoo.org/801376 Signed-off-by: Jakov Smolić <jsmolic@gentoo.org> Signed-off-by: Anthony G. Basile <blueness@gentoo.org> net-libs/mbedtls/Manifest | 2 - net-libs/mbedtls/mbedtls-2.16.10.ebuild | 100 ------------------------------- net-libs/mbedtls/mbedtls-2.26.0.ebuild | 101 -------------------------------- 3 files changed, 203 deletions(-)
Thank you!
GLSA request filed. Still need CVEs, I guess.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=f524f5fa47d9d739280d4530623a93084918da39 commit f524f5fa47d9d739280d4530623a93084918da39 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-01-11 05:19:06 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-01-11 05:22:06 +0000 [ GLSA 202301-08 ] Mbed TLS: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/730752 Bug: https://bugs.gentoo.org/740108 Bug: https://bugs.gentoo.org/764317 Bug: https://bugs.gentoo.org/778254 Bug: https://bugs.gentoo.org/801376 Bug: https://bugs.gentoo.org/829660 Bug: https://bugs.gentoo.org/857813 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202301-08.xml | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+)
GLSA released, all done!