Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#65768 - [security] [mbedtls] private key recovery (CVE-2019-18222)
Attached to Project:
Community Packages
Opened by a (arielzn) - Tuesday, 10 March 2020, 13:53 GMT
Last edited by Levente Polyak (anthraxx) - Tuesday, 10 March 2020, 20:34 GMT
Opened by a (arielzn) - Tuesday, 10 March 2020, 13:53 GMT
Last edited by Levente Polyak (anthraxx) - Tuesday, 10 March 2020, 20:34 GMT
|
DetailsIs there a reason for which this package has not been upgraded ?
Summary ======= The package mbedtls is vulnerable to private key recovery via CVE-2019-18222. Guidance ======== There's already upstream 2.16.5 where this issue is solved. https://tls.mbed.org/download/mbedtls-2.16.5-gpl.tgz I guess just a version bump on the PKGBUILD should do. References ========== https://security.archlinux.org/AVG-1104 https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12 |
This task depends upon
Closed by Levente Polyak (anthraxx)
Tuesday, 10 March 2020, 20:34 GMT
Reason for closing: Fixed
Additional comments about closing: 2.16.5-1
Tuesday, 10 March 2020, 20:34 GMT
Reason for closing: Fixed
Additional comments about closing: 2.16.5-1