Advisories » MGASA-2020-0265

Updated mbedtls packages fix security vulnerability

Publication date: 16 Jun 2020
Modification date: 16 Jun 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2020-10932

Description

Updated mbedtls packages fix security vulnerability

Fix side channel in ECC code that allowed an adversary with access to precise
enough timing and memory access information (typically an untrusted operating
system attacking a secure enclave) to fully recover an ECDSA private key.
(CVE-2020-10932)

Fix a potentially remotely exploitable buffer overread in a DTLS client when
parsing the Hello Verify Request message.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=26758
• https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released
• https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-04
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10932

SRPMS

7/core

• mbedtls-2.16.6-1.mga7