Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

openSUSE: 2024:0037-1 Moderate: mbedTLS Buffer Overread Attack

opensuse
Calendar Grey January 31, 2024
Dist Opensuse Esm H88
The latest patch for mbedTLS resolves vulnerabilities and improves security measures for openSUSE users. It is advised to apply the suggested updates at your earliest convenience.
An update that fixes one vulnerability is now available

Description

This update for mbedtls fixes the following issues:

- Update to version 2.28.7:

- Resolves CVE-2024-23170 boo#1219336

- Update to 2.28.6:

Changes:

* Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later

license. Users may choose which license they take the code under.

- Update to 2.28.5:

Features:

* The documentation of mbedtls_ecp_group now describes the optimized

representation of A for some curves. Fixes gh#Mbed-TLS/mbedtls#8045.

Security:

* Developers using mbedtls_pkcs5_pbes2() or mbedtls_pkcs12_pbe() should

review the size of the output buffer passed to this function, and note

that the output after decryption may include CBC padding. Consider

moving to the new functions mbedtls_pkcs5_pbes2_ext() or

mbedtls_pkcs12_pbe_ext() which checks for overflow of the output

buffer and reports the actual length of the output.

* Improve padding calculations in CBC...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory moderate security issue patch openSUSE buffer overread mbedTLS

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP5:

zypper in -t patch openSUSE-2024-37=1

Package List

- openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64):

libmbedcrypto7-2.28.7-bp155.2.3.1

libmbedtls14-2.28.7-bp155.2.3.1

libmbedx509-1-2.28.7-bp155.2.3.1

mbedtls-devel-2.28.7-bp155.2.3.1

- openSUSE Backports SLE-15-SP5 (aarch64_ilp32):

libmbedcrypto7-64bit-2.28.7-bp155.2.3.1

libmbedtls14-64bit-2.28.7-bp155.2.3.1

libmbedx509-1-64bit-2.28.7-bp155.2.3.1

- openSUSE Backports SLE-15-SP5 (x86_64):

libmbedcrypto7-32bit-2.28.7-bp155.2.3.1

libmbedtls14-32bit-2.28.7-bp155.2.3.1

libmbedx509-1-32bit-2.28.7-bp155.2.3.1

References

https://www.suse.com/security/cve/CVE-2024-23170.html

https://bugzilla.suse.com/1219336

Announcement ID: openSUSE-SU-2024:0037-1
Rating: moderate
Affected Products: openSUSE Backports SLE-15-SP5 .

Topics%20covered

Topics Covered

security advisory moderate security issue patch openSUSE buffer overread mbedTLS

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here