Updated mbedtls packages fix security vulnerabilities
Publication date: 21 Dec 2020Modification date: 21 Dec 2020
Type: security
Affected Mageia releases : 7
Description
This update provides security bug fixes and minor enhancements. Limit the size of calculations performed by mbedtls_mpi_exp_mod to MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when generating Diffie-Hellman key pairs. A failure of the random generator was ignored in mbedtls_mpi_fill_random(), which is how most uses of randomization in asymmetric cryptography are implemented. This could cause failures or the silent use of non-random values. Fix a compliance issue whereby the library did not check the tag on the algorithm parameters (only the size) when comparing the signature in the description part of the cert to the real signature. Zeroising of local buffers and variables which are used for calculations in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(), mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process() functions to erase sensitive data from memory.
References
SRPMS
7/core
- mbedtls-2.16.9-1.mga7