https://nvd.nist.gov/vuln/detail/CVE-2024-45157: An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1, in which the user-selected algorithm is not used. Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled. https://nvd.nist.gov/vuln/detail/CVE-2024-49195: Mbed TLS 3.5.x through 3.6.x before 3.6.2 has a buffer underrun in pkwrite when writing an opaque key pair.
Removed version numbers because we only refer to fixed version in Gentoo itself.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=86acd886db67d37721a4ac9968358131e3439f76 commit 86acd886db67d37721a4ac9968358131e3439f76 Author: Azamat H. Hackimov <azamat.hackimov@gmail.com> AuthorDate: 2024-11-12 20:28:30 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-11-23 16:54:05 +0000 net-libs/mbedtls: add 2.28.9, 3.6.2 Fix security vulnerabilities: * CVE-2024-45157 * CVE-2024-49195 Bug: https://bugs.gentoo.org/943337 Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com> Signed-off-by: Sam James <sam@gentoo.org> net-libs/mbedtls/Manifest | 2 + net-libs/mbedtls/mbedtls-2.28.9.ebuild | 102 +++++++++++++++++++++++++++++++++ net-libs/mbedtls/mbedtls-3.6.2.ebuild | 95 ++++++++++++++++++++++++++++++ 3 files changed, 199 insertions(+)