{ "schema_version": "1.7.0", "id": "MGASA-2020-0469", "published": "2020-12-21T21:47:06Z", "modified": "2020-12-21T21:10:21Z", "summary": "Updated mbedtls packages fix security vulnerabilities", "details": "This update provides security bug fixes and minor enhancements.\n\nLimit the size of calculations performed by mbedtls_mpi_exp_mod to\nMBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when generating\nDiffie-Hellman key pairs.\n\nA failure of the random generator was ignored in mbedtls_mpi_fill_random(),\nwhich is how most uses of randomization in asymmetric cryptography are\nimplemented. This could cause failures or the silent use of non-random values. \n\nFix a compliance issue whereby the library did not check the tag on the\nalgorithm parameters (only the size) when comparing the signature in the\ndescription part of the cert to the real signature.\n\nZeroising of local buffers and variables which are used for calculations in\nmbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(),\nmbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process()\nfunctions to erase sensitive data from memory.\n", "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2020-0469.html" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=27869" }, { "type": "WEB", "url": "https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.9" } ], "affected": [ { "package": { "ecosystem": "Mageia:7", "name": "mbedtls", "purl": "pkg:rpm/mageia/mbedtls?arch=source&distro=mageia-7" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.16.9-1.mga7" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }