FS#65768 - [security] [mbedtls] private key recovery (CVE-2019-18222)
Attached to Project:
Community Packages
Opened by a (arielzn) - Tuesday, 10 March 2020, 13:53 GMT
Last edited by Levente Polyak (anthraxx) - Tuesday, 10 March 2020, 20:34 GMT
Opened by a (arielzn) - Tuesday, 10 March 2020, 13:53 GMT
Last edited by Levente Polyak (anthraxx) - Tuesday, 10 March 2020, 20:34 GMT
|
Details
Is there a reason for which this package has not been
upgraded ?
Summary ======= The package mbedtls is vulnerable to private key recovery via CVE-2019-18222. Guidance ======== There's already upstream 2.16.5 where this issue is solved. https://tls.mbed.org/download/mbedtls-2.16.5-gpl.tgz I guess just a version bump on the PKGBUILD should do. References ========== https://security.archlinux.org/AVG-1104 https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12 |
This task depends upon
Closed by Levente Polyak (anthraxx)
Tuesday, 10 March 2020, 20:34 GMT
Reason for closing: Fixed
Additional comments about closing: 2.16.5-1
Tuesday, 10 March 2020, 20:34 GMT
Reason for closing: Fixed
Additional comments about closing: 2.16.5-1