Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#67996 - [security][mbedtls] 2.16.7-1: Two local side channel vulnerabilites (CVE-2020-16150)
Attached to Project:
Community Packages
Opened by Pascal Ernster (hardfalcon) - Friday, 25 September 2020, 13:55 GMT
Last edited by Kyle Keen (keenerd) - Tuesday, 05 January 2021, 22:31 GMT
Opened by Pascal Ernster (hardfalcon) - Friday, 25 September 2020, 13:55 GMT
Last edited by Kyle Keen (keenerd) - Tuesday, 05 January 2021, 22:31 GMT
|
DetailsmbedTLS 2.16.7 is affected by two security issues:
"Local side channel attack on classical CBC decryption in (D)TLS": (CVE-2020-16150, severity "high"): https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-1 "Local side channel attack on RSA and static Diffie-Hellman" (no CVE, severity "high"): https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-2 Both are fixed in mbedTLS versions 2.16.8 and 2.24.0. |
This task depends upon
Closed by Kyle Keen (keenerd)
Tuesday, 05 January 2021, 22:31 GMT
Reason for closing: Fixed
Additional comments about closing: mbedtls 2.25.0-1
Tuesday, 05 January 2021, 22:31 GMT
Reason for closing: Fixed
Additional comments about closing: mbedtls 2.25.0-1