Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package mbedtls-3 for openSUSE:Factory 
checked in at 2026-07-14 13:49:15
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/mbedtls-3 (Old)
 and      /work/SRC/openSUSE:Factory/.mbedtls-3.new.1991 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "mbedtls-3"

Tue Jul 14 13:49:15 2026 rev:2 rq:1365402 version:3.6.7

Changes:
--------
--- /work/SRC/openSUSE:Factory/mbedtls-3/mbedtls-3.changes      2026-06-25 
10:59:43.566571861 +0200
+++ /work/SRC/openSUSE:Factory/.mbedtls-3.new.1991/mbedtls-3.changes    
2026-07-14 13:49:41.762496213 +0200
@@ -1,0 +2,63 @@
+Mon Jul 13 15:43:41 UTC 2026 - Martin Pluskal <[email protected]>
+
+- update to 3.6.7:
+  This is a security release fixing memory-safety issues, several
+  side-channel leaks and TLS/X.509 protocol flaws:
+  * CVE-2026-50580: remote buffer overflow in (D)TLS with ECDHE-PSK
+    cipher suites when CBC is disabled
+  * CVE-2026-35336: buffer overflow in mbedtls_ecdh_calc_secret() when
+    the provided output buffer is too small
+  * CVE-2026-50713: buffer overflow on DTLS renegotiation when
+    badmac_limit is enabled
+  * CVE-2026-50579: use-after-free/double-free in mbedtls_pkcs7_free()
+    when reusing a PKCS7 context across parse/free cycles
+  * CVE-2026-50588: out-of-bounds read when parsing TLS 1.2 ECJPAKE
+    ServerKeyExchange messages
+  * CVE-2026-50583: one-byte buffer overread when parsing a malformed
+    ECC public key in the PK module
+  * CVE-2026-49300: X.509 parser accepted malformed basicConstraints,
+    allowing end-entity certificates to be treated as CA certificates
+  * CVE-2026-25832: TLS 1.3 client now rejects a HelloRetryRequest that
+    selects a group not advertised in the ClientHello
+  * CVE-2026-50587: constant-time handling of RSA PKCS#1 v1.5 decryption
+    errors to prevent a Bleichenbacher timing attack
+  * CVE-2026-54435: side channel in ECC computations allowing a local
+    attacker to recover long-term secret keys
+  * CVE-2026-50586: up to 4 bytes of uninitialized stack memory could be
+    sent in the TLS 1.2 NewSessionTicket message
+  * CVE-2026-50584: reject ChaCha20 operations that wrap the 32-bit block
+    counter and would otherwise reuse keystream
+  * CVE-2026-50581: TLS 1.2 extended master secret transcript-hash
+    computation errors are no longer silently ignored
+  * CVE-2026-50640: TLS 1.3 server no longer issues invalid session
+    tickets when the resumption master secret cannot be computed
+  * CVE-2026-50585: zeroize the dtls_srtp_info field in
+    mbedtls_ssl_session_reset() to avoid DTLS-SRTP parameter inheritance
+  * CVE-2026-54441: clarify that mbedtls_ssl_conf_sig_algs() does not
+    restrict signature algorithms during certificate verification
+  * further hardening without assigned CVEs: TLS 1.3 early-data
+    record-boundary validation, random-generator failure handling during
+    the TLS 1.3 handshake, a timing side channel in RSA key generation,
+    and PKCS7 now rejecting weak hash algorithms (new option
+    MBEDTLS_PKCS7_ALLOW_WEAK_SIGNATURES keeps the old behavior)
+- this package also carries the fixes from the 3.6.6 upstream security
+  batch for the following issues (referenced here for Leap 16.1 tracking):
+  * CVE-2026-34875, boo#1261451: arbitrary code execution via a buffer
+    overflow in FFDH key export
+  * CVE-2026-34876, boo#1261452: CCM multipart-finish tag-length
+    validation bypass
+  * CVE-2026-34877, boo#1261457: memory-safety issues from insufficient
+    protection of serialized session or context data
+  * CVE-2026-34874, boo#1261527: NULL pointer dereference when setting a
+    distinguished name
+  * CVE-2026-34873, boo#1261450: client impersonation during TLS 1.3
+    session resumption
+  * CVE-2026-34872, boo#1261449: shared-secret manipulation via improper
+    FFDH input validation
+  * CVE-2026-34871, boo#1261448: entropy could silently fall back to
+    /dev/urandom on platforms without a dedicated system call
+  * CVE-2026-25834, boo#1261526: algorithm downgrade vulnerability
+  * CVE-2026-25833, boo#1261524: buffer underflow in x509_inet_pton_ipv6()
+  * CVE-2026-25835, boo#1261525: weakness in PSA random generator cloning
+
+-------------------------------------------------------------------

Old:
----
  mbedtls-3.6.6.obscpio

New:
----
  mbedtls-3.6.7.obscpio

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ mbedtls-3.spec ++++++
--- /var/tmp/diff_new_pack.0HyDBn/_old  2026-07-14 13:49:43.174544823 +0200
+++ /var/tmp/diff_new_pack.0HyDBn/_new  2026-07-14 13:49:43.174544823 +0200
@@ -23,7 +23,7 @@
 %define lib_p256m   libp256m
 %define _rname      mbedtls
 Name:           mbedtls-3
-Version:        3.6.6
+Version:        3.6.7
 Release:        0
 Summary:        Libraries for crypto and SSL/TLS protocols
 License:        Apache-2.0 OR GPL-2.0-or-later

++++++ _service ++++++
--- /var/tmp/diff_new_pack.0HyDBn/_old  2026-07-14 13:49:43.230546751 +0200
+++ /var/tmp/diff_new_pack.0HyDBn/_new  2026-07-14 13:49:43.238547025 +0200
@@ -3,8 +3,8 @@
     <param name="url">https://github.com/Mbed-TLS/mbedtls.git</param>
     <param name="scm">git</param>
     <param name="versionformat">@PARENT_TAG@</param>
-    <param name="revision">refs/tags/v3.6.6</param>
-    <param name="versionrewrite-pattern">v(.*)</param>
+    <param name="revision">refs/tags/v3.6.7</param>
+    <param name="versionrewrite-pattern">(?:mbedtls-|v)(.*)</param>
     <param name="changesgenerate">enable</param>
   </service>
   <service name="set_version" mode="manual"/>

++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.0HyDBn/_old  2026-07-14 13:49:43.266547990 +0200
+++ /var/tmp/diff_new_pack.0HyDBn/_new  2026-07-14 13:49:43.270548127 +0200
@@ -1,7 +1,7 @@
 <servicedata>
   <service name="tar_scm">
     <param name="url">https://github.com/Mbed-TLS/mbedtls.git</param>
-    <param 
name="changesrevision">0bebf8b8c7f07abe3571ded48a11aa907a1ffb20</param>
+    <param 
name="changesrevision">068ff080b369adfac81509f9b57b2afabaf82dc5</param>
   </service>
 </servicedata>
 (No newline at EOF)

++++++ mbedtls-3.6.6.obscpio -> mbedtls-3.6.7.obscpio ++++++
++++ 18110 lines of diff (skipped)

++++++ mbedtls.obsinfo ++++++
--- /var/tmp/diff_new_pack.0HyDBn/_old  2026-07-14 13:49:46.610663110 +0200
+++ /var/tmp/diff_new_pack.0HyDBn/_new  2026-07-14 13:49:46.618663385 +0200
@@ -1,5 +1,5 @@
 name: mbedtls
-version: 3.6.6
-mtime: 1774562593
-commit: 0bebf8b8c7f07abe3571ded48a11aa907a1ffb20
+version: 3.6.7
+mtime: 1782903821
+commit: 068ff080b369adfac81509f9b57b2afabaf82dc5
 

Reply via email to