Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package mbedtls for openSUSE:Factory checked in at 2026-07-08 17:37:25 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mbedtls (Old) and /work/SRC/openSUSE:Factory/.mbedtls.new.1982 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mbedtls" Wed Jul 8 17:37:25 2026 rev:53 rq:1364436 version:4.2.0 Changes: -------- --- /work/SRC/openSUSE:Factory/mbedtls/mbedtls.changes 2026-06-22 17:33:49.130952269 +0200 +++ /work/SRC/openSUSE:Factory/.mbedtls.new.1982/mbedtls.changes 2026-07-08 17:39:40.952048960 +0200 @@ -1,0 +2,40 @@ +Wed Jul 8 07:46:06 UTC 2026 - Martin Pluskal <[email protected]> + +- Update to 4.2.0: + * Security fixes: + - CVE-2026-50580: remote buffer overflow in (D)TLS with + ECDHE-PSK cipher suites when CBC is disabled + - CVE-2026-50581: transcript-hash computation errors during + TLS 1.2 extended master secret calculation could be + ignored instead of failing the handshake + - CVE-2026-50579: use-after-free/double-free in + mbedtls_pkcs7_free() when reusing a context across + parse/free cycles + - CVE-2026-49300: X.509 parser accepted some certificates + with malformed basicConstraints, risking end-entity + certificates being treated as CA certificates + - CVE-2026-50586: information disclosure in TLS 1.2 servers + using session tickets (uninitialised stack memory sent in + NewSessionTicket) + - CVE-2026-50588: out-of-bounds read parsing TLS 1.2 ECJPAKE + ServerKeyExchange messages + - CVE-2026-50640: TLS 1.3 server could issue invalid session + tickets under resource exhaustion instead of failing + - CVE-2026-50585: badmac_seen and dtls_srtp_info fields not + zeroized on mbedtls_ssl_session_reset(), causing premature + DTLS failure or wrong DTLS-SRTP parameter inheritance + - CVE-2026-25832: TLS 1.3 clients now reject a + HelloRetryRequest selecting an unadvertised group + - CVE-2026-54441: clarified mbedtls_ssl_conf_sig_algs() only + governs TLS key exchange, not certificate verification + * SHA3-256/384/512 are now accepted in the default X.509 + certificate profile + * Restore DESTDIR support for CMake installs of the + compatibility libmbedcrypto symlinks + * PKCS7 now rejects weak hash algorithms (RIPEMD160, MD5, + SHA-1, SHA-224, SHA3-224) on signature verification + * X.509 certificates with a basicConstraints extension + starting with an INTEGER field are no longer accepted + * Bundled TF-PSA-Crypto upgraded from 1.1.0 to 1.2.0 + +------------------------------------------------------------------- Old: ---- mbedtls-4.1.0.tar.bz2 New: ---- mbedtls-4.2.0.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mbedtls.spec ++++++ --- /var/tmp/diff_new_pack.uzS6K8/_old 2026-07-08 17:39:42.176091734 +0200 +++ /var/tmp/diff_new_pack.uzS6K8/_new 2026-07-08 17:39:42.180091874 +0200 @@ -20,7 +20,7 @@ %define lib_x509 libmbedx509-9 %define lib_tfpsa libtfpsacrypto2 Name: mbedtls -Version: 4.1.0 +Version: 4.2.0 Release: 0 Summary: Libraries for crypto and SSL/TLS protocols License: Apache-2.0 OR GPL-2.0-or-later ++++++ mbedtls-4.1.0.tar.bz2 -> mbedtls-4.2.0.tar.bz2 ++++++ /work/SRC/openSUSE:Factory/mbedtls/mbedtls-4.1.0.tar.bz2 /work/SRC/openSUSE:Factory/.mbedtls.new.1982/mbedtls-4.2.0.tar.bz2 differ: char 11, line 1
