Your message dated Sat, 05 Apr 2025 14:44:17 +0000
with message-id <[email protected]>
and subject line Bug#1101499: fixed in mbedtls 3.6.3-1
has caused the Debian Bug report #1101499,
regarding mbedtls: CVE-2025-27809 CVE-2025-27810
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1101499: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101499
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: mbedtls
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for mbedtls.
CVE-2025-27809[0]:
| Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side,
| accepts servers that have trusted certificates for arbitrary
| hostnames unless the TLS client application calls
| mbedtls_ssl_set_hostname.
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1/
CVE-2025-27810[1]:
| Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of
| failed memory allocation or hardware errors, uses uninitialized
| stack memory to compose the TLS Finished message, potentially
| leading to authentication bypasses such as replays.
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-2/
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-27809
https://www.cve.org/CVERecord?id=CVE-2025-27809
[1] https://security-tracker.debian.org/tracker/CVE-2025-27810
https://www.cve.org/CVERecord?id=CVE-2025-27810
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: mbedtls
Source-Version: 3.6.3-1
Done: Andrea Pappacoda <[email protected]>
We believe that the bug you reported is fixed in the latest version of
mbedtls, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrea Pappacoda <[email protected]> (supplier of updated mbedtls package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 05 Apr 2025 15:45:07 +0200
Source: mbedtls
Architecture: source
Version: 3.6.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian IoT Maintainers
<[email protected]>
Changed-By: Andrea Pappacoda <[email protected]>
Closes: 1101499
Changes:
mbedtls (3.6.3-1) unstable; urgency=medium
.
* New upstream version 3.6.3
- Fixes CVE-2025-27809
- Fixes CVE-2025-27810
- Closes: #1101499
* d/control: use my @debian.org email address
* d/control: apply X-Style: black
* d/control: declare dpkg-build-api = 1
* d/.symbols: mark private symbol as optional, add new ones
Checksums-Sha1:
887b877ff4fa3400d2b4b6cdcfd77dc996dc3ba9 1957 mbedtls_3.6.3-1.dsc
ece6f4fb1abd088dcb792010b9571c647c9cab5c 5138248 mbedtls_3.6.3.orig.tar.bz2
07d5cc36b5e88d65e4fca50c9a569da3eb011620 18620 mbedtls_3.6.3-1.debian.tar.xz
Checksums-Sha256:
15300ec4eaea42ee3f4290a1c32ed7d10fbbc406980cc02618d5cd5437132036 1957
mbedtls_3.6.3-1.dsc
64cd73842cdc05e101172f7b437c65e7312e476206e1dbfd644433d11bc56327 5138248
mbedtls_3.6.3.orig.tar.bz2
3caa96f7d1393dddc4a5eb0c388df0281c4c613eae09f92314cb08a339a24b8c 18620
mbedtls_3.6.3-1.debian.tar.xz
Files:
b4982362b94ea37eccd63e8ab813ef16 1957 libs optional mbedtls_3.6.3-1.dsc
42552d8ccd02b32d5a36e80fbf9b47f8 5138248 libs optional
mbedtls_3.6.3.orig.tar.bz2
71e5ba3975c100a59ba55b8b995ca645 18620 libs optional
mbedtls_3.6.3-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQS6VuNIvZRFHt7JcAdKkgiiRVB3pwUCZ/E3VgAKCRBKkgiiRVB3
p8+kAQDV5XwsWH8siA4e5OISD3NFshM0MgNSU3JU3qtz5kg0qQEA0IVj3DkWXIDN
wx0YjAjswBB5d3wHZR5AlnlihSzDBgk=
=dLbR
-----END PGP SIGNATURE-----
pgpTlNm3P59_I.pgp
Description: PGP signature
--- End Message ---