CVE-2018-0488 (https://nvd.nist.gov/vuln/detail/CVE-2018-0488): ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0, when the truncated HMAC extension and CBC are used, allows remote attackers to execute arbitrary code or cause a denial of service (heap corruption) via a crafted application packet within a TLS or DTLS session. CVE-2018-0487 (https://nvd.nist.gov/vuln/detail/CVE-2018-0487): ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0 allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow) via a crafted certificate chain that is mishandled during RSASSA-PSS signature verification within a TLS or DTLS session. CVE-2017-18187 (https://nvd.nist.gov/vuln/detail/CVE-2017-18187): In ARM mbed TLS before 2.7.0, there is a bounds-check bypass through an integer overflow in PSK identity parsing in the ssl_parse_client_psk_identity() function in library/ssl_srv.c.
=net-libs/mbedtls-2.7.1 is in the tree and should be rapid stabilized. @arch teams, please stabilize KEYWORDS="alpha amd64 arm arm64 hppa ia64 ppc ppc64 sparc x86"
arm64 stable
ia64 stable
x86 stable
amd64 stable
Stable on alpha.
stable on ppc and ppc64
arm stable
We need to start over with =net-libs/mbedtls-2.7.2 KEYWORDS="alpha amd64 arm arm64 hppa ia64 ppc ppc64 x86" There have been more security updates. See https://tls.mbed.org/tech-updates/releases/mbedtls-2.8.0-2.7.2-and-2.1.11-released
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1de34aaeccc3b0c53f453c88a150f856d0bd723b commit 1de34aaeccc3b0c53f453c88a150f856d0bd723b Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-04-14 18:44:45 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-04-14 18:47:10 +0000 net-libs/mbedtls: amd64 stable Bug: https://bugs.gentoo.org/647800 Package-Manager: Portage-2.3.28, Repoman-2.3.9 net-libs/mbedtls/mbedtls-2.7.2.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
ppc64 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ebe4f6f1adf2e34c117c83b8713d1b25eb9f353f commit ebe4f6f1adf2e34c117c83b8713d1b25eb9f353f Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-04-20 06:56:48 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-04-20 06:56:48 +0000 net-libs/mbedtls: stable 2.7.2 for ppc, bug #647800 Bug: https://bugs.gentoo.org/647800 Package-Manager: Portage-2.3.28, Repoman-2.3.9 RepoMan-Options: --include-arches="ppc" net-libs/mbedtls/mbedtls-2.7.2.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
hppa stable
alpha stable
GLSA request filed @maintainer, please drop vulnerable.
(In reply to Aaron Bauman from comment #19) > GLSA request filed > > @maintainer, please drop vulnerable. done.
This issue was resolved and addressed in GLSA 201804-19 at https://security.gentoo.org/glsa/201804-19 by GLSA coordinator Aaron Bauman (b-man).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ff53a14e3c0d1f26e269e4b6aa52a0350a87e750 commit ff53a14e3c0d1f26e269e4b6aa52a0350a87e750 Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-05-19 17:46:31 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-05-19 18:15:03 +0000 net-libs/mbedtls: stable 2.7.2 for sparc Bug: https://bugs.gentoo.org/647800 Package-Manager: Portage-2.3.24, Repoman-2.3.6 RepoMan-Options: --include-arches="sparc" net-libs/mbedtls/mbedtls-2.7.2.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)