Your message dated Sat, 17 Mar 2018 21:42:29 +0000 with message-id <e1exjav-0004bq...@fasolo.debian.org> and subject line Bug#890287: fixed in mbedtls 2.4.2-1+deb9u2 has caused the Debian Bug report #890287, regarding mbedtls: CVE-2018-0488 - Risk of remote code execution when truncated HMAC is enabled to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 890287: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890287 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mbedtls Version: 2.1.2-1 Severity: grave Tags: security https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01 Vulnerability When the truncated HMAC extension is enabled and CBC is used, sending a malicious application packet can be used to selectively corrupt 6 bytes on the peer's heap, potentially leading to a crash or remote code execution. This can be triggered remotely from either side in both TLS and DTLS. If the truncated HMAC extension, which can be set by the compile time option MBEDTLS_SSL_TRUNCATED_HMAC in config.h, is disabled when compiling the library, then the vulnerability is not present. The truncated HMAC extension is enabled in the default configuration. The vulnerability is only present if * The compile-time option MBEDTLS_SSL_TRUNCATED_HMAC is set in config.h. (It is set by default) AND * The truncated HMAC extension is explicitly offered by calling mbedtls_ssl_conf_truncated_hmac(). (It is not offered by default) Impact Depending on the platform, an attack exploiting this vulnerability could lead to an application crash or allow remote code execution. Resolution Affected users should upgrade to Mbed TLS 1.3.22, Mbed TLS 2.1.10 or Mbed TLS 2.7.0. Workaround Users should wherever possible upgrade to the newer version of Mbed TLS. Where this is not practical, users should consider disabling the truncated HMAC extension by removing any call to mbedtls_ssl_conf_truncated_hmac() in their application, and the option MBEDTLS_SSL_TRUNCATED_HMAC in the Mbed TLS configuration is practical for their application.
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---Source: mbedtls Source-Version: 2.4.2-1+deb9u2 We believe that the bug you reported is fixed in the latest version of mbedtls, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 890...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James Cowgill <jcowg...@debian.org> (supplier of updated mbedtls package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 05 Mar 2018 18:24:47 +0000 Source: mbedtls Binary: libmbedtls-dev libmbedcrypto0 libmbedtls10 libmbedx509-0 libmbedtls-doc Architecture: source Version: 2.4.2-1+deb9u2 Distribution: stretch-security Urgency: high Maintainer: James Cowgill <jcowg...@debian.org> Changed-By: James Cowgill <jcowg...@debian.org> Description: libmbedcrypto0 - lightweight crypto and SSL/TLS library - crypto library libmbedtls-dev - lightweight crypto and SSL/TLS library - development files libmbedtls-doc - lightweight crypto and SSL/TLS library - documentation libmbedtls10 - lightweight crypto and SSL/TLS library - tls library libmbedx509-0 - lightweight crypto and SSL/TLS library - x509 certificate library Closes: 890287 890288 Changes: mbedtls (2.4.2-1+deb9u2) stretch-security; urgency=high . * Fix CVE-2017-18187: Unsafe bounds check in ssl_parse_client_psk_identity(). * Fix CVE-2018-0487: Buffer overflow when verifying RSASSA-PSS signatures. (Closes: #890288) * Fix CVE-2018-0488: Buffer overflow when truncated HMAC is enabled. (Closes: #890287) Checksums-Sha1: 63035736a04d0b6cbae6d6b150c0d41a1ad23004 2248 mbedtls_2.4.2-1+deb9u2.dsc 2ae3ae3fd203e642cce6f2953ae7edf452885af4 18908 mbedtls_2.4.2-1+deb9u2.debian.tar.xz c0cd4d3a535190d028cbfa6b1ffdeb24262282cc 6713 mbedtls_2.4.2-1+deb9u2_source.buildinfo Checksums-Sha256: da25c581f6287a26542490736310f8df993893683545600ae9df95be4e412914 2248 mbedtls_2.4.2-1+deb9u2.dsc a7e72e80bdeb44f90555348ad40d5e31ed5f01d66d1583bd9a0ebb11ef7ad7fc 18908 mbedtls_2.4.2-1+deb9u2.debian.tar.xz 92179f5483779bb3b96c30f9f9c674964460bb2cdc444f8933f082842b3da02d 6713 mbedtls_2.4.2-1+deb9u2_source.buildinfo Files: d2e54e46950a48b3f8327288daa16ad3 2248 libs optional mbedtls_2.4.2-1+deb9u2.dsc 72515ee69ddd36c21e530ca77e5ed047 18908 libs optional mbedtls_2.4.2-1+deb9u2.debian.tar.xz 61b0614143b22a11ed8f4da9af858fff 6713 libs optional mbedtls_2.4.2-1+deb9u2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlqgUg0UHGpjb3dnaWxs QGRlYmlhbi5vcmcACgkQx/FnbeotAe/uCg/+IlA5q+PXrRKxWlQ1cY1pF9yhmsdr MJS7L1Es+jlgWIOnQRi2sV6ojJY+vlz/EyXJEzzZcUIVW/QwX64kbkcTyJ0kx/Zy +BRRq5QIuHqr1NiBzZu2Bfq2oiW8HUGZie//z3hvRLFf7H1x1vi6ABWiPlIta3zb zIGu+iSVcDVhcvfdj7BdosB9I/osjyTR5wKB0B7n9GChNtRbc+Wnp/LxgNpb1rAT HzAs//QQ1sFCeI8p7pR1bdYLvqfccUQgg3ZuKUVmDpH7jjIWTjKfhLSXiAN02/5r +bYUAc+PiDQP/ZNPF6N/DLVm4P7xu05YSv+P9s7K15UpmuxPO3Lwap6FzFeR/+ec peuI5Sn4NYZph9lF/xeUZayvvl5pfmakwj+C8sJyrXTUxHnFOptyDVX+RB6A9mq5 kNTYgvTH9ubtMxDASNXY0hZWnXwwBXGy8Y2WcqLMwJXPadUVaiZbUZNPTwpCGl7s XD8a2hgYf0260g0JLAxaV3aS6lH1aYsK8VHJbwQrarz4+E5jqt3aI91vjm+3WBl3 TUPTDlXA9mMqVm8xWRcdenSKRhlyVdtU+coB13LBF9WJSl7a68BYe1eWEbXKfQl8 J32ynL8pRYnjrhRmbJ+r3Jb8y2mAHjnF6iABqrPZwXyIub2Oj4mN15xjSjmNFDjW xOOTEEiToJiVais= =yWul -----END PGP SIGNATURE-----
--- End Message ---
