[Buildroot] [PATCH 1/1] package/mbedtls: security bump to version 2.28.2
Peter Korsgaard
peter at korsgaard.com
Sun Dec 18 10:31:42 UTC 2022
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice at gmail.com> writes:
> Fix the following security issues:
> - Fix potential heap buffer overread and overwrite in DTLS if
> MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
> MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.
> - An adversary with access to precise enough information about memory
> accesses (typically, an untrusted operating system attacking a secure
> enclave) could recover an RSA private key after observing the victim
> performing a single private-key operation if the window size used for
> the exponentiation was 3 or smaller.
> Drop patch (already in version:
> https://github.com/Mbed-TLS/mbedtls/commit/9d9d45c6b2aeaedfdfdadfec3d05d168db685968)
> https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
Committed, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list