Your message dated Sun, 13 Jul 2025 11:34:46 +0000
with message-id <e1uauyk-003fhe...@fasolo.debian.org>
and subject line Bug#1108788: fixed in mbedtls 3.6.4-1
has caused the Debian Bug report #1108788,
regarding mbedtls: CVE-2025-49601: Out-of-bounds read in
mbedtls_lms_import_public_key()
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1108788: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108788
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: mbedtls
Version: 3.6.3-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for mbedtls.
CVE-2025-49601[0]:
| In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_import_public_key does
| not check that the input buffer is at least 4 bytes before reading a
| 32-bit field, allowing a possible out-of-bounds read on truncated
| input. Specifically, an out-of-bounds read in
| mbedtls_lms_import_public_key allows context-dependent attackers to
| trigger a crash or limited adjacent-memory disclosure by supplying a
| truncated LMS (Leighton-Micali Signature) public-key buffer under
| four bytes. An LMS public key starts with a 4-byte type indicator.
| The function mbedtls_lms_import_public_key reads this type indicator
| before validating the size of its input.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-49601
https://www.cve.org/CVERecord?id=CVE-2025-49601
[1]
https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-4.md
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: mbedtls
Source-Version: 3.6.4-1
Done: Andrea Pappacoda <ta...@debian.org>
We believe that the bug you reported is fixed in the latest version of
mbedtls, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1108...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrea Pappacoda <ta...@debian.org> (supplier of updated mbedtls package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 13 Jul 2025 13:26:04 +0200
Source: mbedtls
Architecture: source
Version: 3.6.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian IoT Maintainers
<debian-iot-maintain...@alioth-lists.debian.net>
Changed-By: Andrea Pappacoda <ta...@debian.org>
Closes: 1108785 1108786 1108787 1108788
Changes:
mbedtls (3.6.4-1) unstable; urgency=medium
.
* New upstream version 3.6.4
- Closes: #1108785 (CVE-2025-52496)
- Closes: #1108786 (CVE-2025-52497)
- Closes: #1108787 (CVE-2025-49600)
- Closes: #1108788 (CVE-2025-49601)
Checksums-Sha1:
b864f90e15d92ed39519a2f9e049b96b08195eb8 1981 mbedtls_3.6.4-1.dsc
b9c9035d108bacb6a0273dc31639fcf6d77a1e7b 5099459 mbedtls_3.6.4.orig.tar.bz2
0f6b8e9649f95fa5464d30d1e256d9fd7f104dfe 18636 mbedtls_3.6.4-1.debian.tar.xz
Checksums-Sha256:
d886a94bf35951bf87f2bba6b19fc04f0138af4b43ac9ffa76e2b7b148a8c031 1981
mbedtls_3.6.4-1.dsc
ec35b18a6c593cf98c3e30db8b98ff93e8940a8c4e690e66b41dfc011d678110 5099459
mbedtls_3.6.4.orig.tar.bz2
a20ec6f4ff606fe803a594a7cff2eb8a0c821263c0bdf094d097d7451b97755c 18636
mbedtls_3.6.4-1.debian.tar.xz
Files:
ade05ef307c6e9a99f5a1d61583fbd34 1981 libs optional mbedtls_3.6.4-1.dsc
eb965a5bb8044bc43a49adb435fa72ee 5099459 libs optional
mbedtls_3.6.4.orig.tar.bz2
165fc0f76e6b34ce4c07f4fed13661d8 18636 libs optional
mbedtls_3.6.4-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iIcEARYKAC8WIQS6VuNIvZRFHt7JcAdKkgiiRVB3pwUCaHOZSREcdGFjaGlAZGVi
aWFuLm9yZwAKCRBKkgiiRVB3p9TAAQDK98m5VpNZuNnF2FRldEnl59MaYTwXGY0K
NGXjA8ysbQEAxDzqgUsGYDzMrF16D2eAa8SJBE21BwjExeblXv/BkgY=
=PVU3
-----END PGP SIGNATURE-----
pgp8S03_1rMbn.pgp
Description: PGP signature
--- End Message ---
