Your message dated Fri, 21 Nov 2025 12:06:37 +0000
with message-id <[email protected]>
and subject line Bug#1118750: fixed in mbedtls 3.6.5-0.1
has caused the Debian Bug report #1118750,
regarding mbedtls: CVE-2025-54764
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1118750: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118750
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: mbedtls
Version: 3.6.4-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for mbedtls.
CVE-2025-54764[0]:
| Mbed TLS before 3.6.5 allows a local timing attack against certain
| RSA operations, and direct calls to mbedtls_mpi_mod_inv or
| mbedtls_mpi_gcd.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-54764
https://www.cve.org/CVERecord?id=CVE-2025-54764
[1]
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-10-ssbleed-mstep/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: mbedtls
Source-Version: 3.6.5-0.1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
mbedtls, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated mbedtls package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 14 Nov 2025 22:00:32 +0200
Source: mbedtls
Architecture: source
Version: 3.6.5-0.1
Distribution: unstable
Urgency: medium
Maintainer: Debian IoT Maintainers
<[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1118750 1118752
Changes:
mbedtls (3.6.5-0.1) unstable; urgency=medium
.
* Non-maintainer upload.
* New upstream release.
- CVE-2025-54764: Side channel in RSA key generation and operations
(Closes: #1118750)
- CVE-2025-59438: Padding oracle through timing of cipher error reporting
(Closes: #1118752)
Checksums-Sha1:
e448efb179235c13cbce05a7552a0c3a69a4e885 2458 mbedtls_3.6.5-0.1.dsc
3d6cd31c225129741be7aea004546f081408b998 5367178 mbedtls_3.6.5.orig.tar.bz2
1154ba55e8494d87ca9fdce9b0f9e70ab5733fe6 18804 mbedtls_3.6.5-0.1.debian.tar.xz
Checksums-Sha256:
a0459578c1cf13c51a972dc0ff61eb26b26a9d074d68957b133cbde263b200a5 2458
mbedtls_3.6.5-0.1.dsc
4a11f1777bb95bf4ad96721cac945a26e04bf19f57d905f241fe77ebeddf46d8 5367178
mbedtls_3.6.5.orig.tar.bz2
1fc7971fe023ed641bce6cc8ef20784c3cd8edb0977e8e066485d9a0ac396c66 18804
mbedtls_3.6.5-0.1.debian.tar.xz
Files:
fabe053bb2162d0827859dc557dd3874 2458 libs optional mbedtls_3.6.5-0.1.dsc
bc79602daf85f1cf35a686b53056de58 5367178 libs optional
mbedtls_3.6.5.orig.tar.bz2
3a445d607ebb7fc42e685f3707c8462d 18804 libs optional
mbedtls_3.6.5-0.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmkX1jkACgkQiNJCh6LY
mLEKmw/9HR1HFmX30tYxHm6+Lyle7VUGqyBCYO8eyRFw1XSzNWyxZlsEx9Ms4ZE/
QCqjqte+JJil8tYHqLjbzebigd/PiqIfgQ4SeM6B74cCqr/FBEq9NFWOCCm1EJ5O
7d8uOVY1HsKTJqTAn9Yc3hNBecNKq57XMKI1pO4d7qMM0CzexGmHyH+iJUL3KAmq
HmNYrs7eOT4deQ/G+ci3zc1O2CXRgy5j2EeS7u6Aa2tC9gl6F5u4T67uZpGXxqva
uyA+gPYvFezouc2CXYrmqlSHtA+lG0OEL2LNmMGK+MhLATTbEVBDwIhqytOddIqz
6k7e1KKCnqoB8MxVHVLr1y8GQA2hSveN5F+xUS0r4i9ccVS3XUn8HOeyoTFkdMJt
tpjWplYazmmsgfomGZt5AzJx3zFjZSW1AQ68VGl+OavzwhWDpXMGUifjTbXGYX7d
lERP6QE354bzqH+jQKLrfJQMLTRqz10tn97JBBNrJWu9meb1LNugBmwVO8bpmfuU
wR1stXe3ytd5ZkBhjVVa29qe+T7ZX1O4LB32pNWmeHMMRrYh6H3BP/PV7nwE61CP
DJPKl51P1cqvhZ3XwYLDimPVVYm5MA8R/WzNDiTMsFsA9PkYhMNvwp1jx+VRDW2Y
wq4pefjPSlpRB7vBWJesllkVSYaVaPMlWDbiEzq1yg2rgrwLr0Y=
=yMoj
-----END PGP SIGNATURE-----
pgpQQZ48Pi0a8.pgp
Description: PGP signature
--- End Message ---
