Your message dated Sat, 17 Mar 2018 21:42:29 +0000
with message-id <e1exjav-0004bq...@fasolo.debian.org>
and subject line Bug#890287: fixed in mbedtls 2.4.2-1+deb9u2
has caused the Debian Bug report #890287,
regarding mbedtls: CVE-2018-0488 - Risk of remote code execution when truncated 
HMAC is enabled
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
890287: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890287
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: mbedtls
Version: 2.1.2-1
Severity: grave
Tags: security

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01

Vulnerability
When the truncated HMAC extension is enabled and CBC is used, sending a
malicious application packet can be used to selectively corrupt 6 bytes
on the peer's heap, potentially leading to a crash or remote code
execution. This can be triggered remotely from either side in both TLS
and DTLS.

If the truncated HMAC extension, which can be set by the compile time
option MBEDTLS_SSL_TRUNCATED_HMAC in config.h, is disabled when
compiling the library, then the vulnerability is not present. The
truncated HMAC extension is enabled in the default configuration.

The vulnerability is only present if
* The compile-time option MBEDTLS_SSL_TRUNCATED_HMAC is set in config.h.
  (It is set by default) AND
* The truncated HMAC extension is explicitly offered by calling
  mbedtls_ssl_conf_truncated_hmac(). (It is not offered by default)

Impact
Depending on the platform, an attack exploiting this vulnerability could
lead to an application crash or allow remote code execution.

Resolution
Affected users should upgrade to Mbed TLS 1.3.22, Mbed TLS 2.1.10 or
Mbed TLS 2.7.0.

Workaround
Users should wherever possible upgrade to the newer version of Mbed TLS.
Where this is not practical, users should consider disabling the
truncated HMAC extension by removing any call to
mbedtls_ssl_conf_truncated_hmac() in their application, and the option
MBEDTLS_SSL_TRUNCATED_HMAC in the Mbed TLS configuration is practical
for their application.

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message ---
Source: mbedtls
Source-Version: 2.4.2-1+deb9u2

We believe that the bug you reported is fixed in the latest version of
mbedtls, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 890...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Cowgill <jcowg...@debian.org> (supplier of updated mbedtls package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 05 Mar 2018 18:24:47 +0000
Source: mbedtls
Binary: libmbedtls-dev libmbedcrypto0 libmbedtls10 libmbedx509-0 libmbedtls-doc
Architecture: source
Version: 2.4.2-1+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: James Cowgill <jcowg...@debian.org>
Changed-By: James Cowgill <jcowg...@debian.org>
Description:
 libmbedcrypto0 - lightweight crypto and SSL/TLS library - crypto library
 libmbedtls-dev - lightweight crypto and SSL/TLS library - development files
 libmbedtls-doc - lightweight crypto and SSL/TLS library - documentation
 libmbedtls10 - lightweight crypto and SSL/TLS library - tls library
 libmbedx509-0 - lightweight crypto and SSL/TLS library - x509 certificate 
library
Closes: 890287 890288
Changes:
 mbedtls (2.4.2-1+deb9u2) stretch-security; urgency=high
 .
   * Fix CVE-2017-18187:
     Unsafe bounds check in ssl_parse_client_psk_identity().
   * Fix CVE-2018-0487:
     Buffer overflow when verifying RSASSA-PSS signatures. (Closes: #890288)
   * Fix CVE-2018-0488:
     Buffer overflow when truncated HMAC is enabled. (Closes: #890287)
Checksums-Sha1:
 63035736a04d0b6cbae6d6b150c0d41a1ad23004 2248 mbedtls_2.4.2-1+deb9u2.dsc
 2ae3ae3fd203e642cce6f2953ae7edf452885af4 18908 
mbedtls_2.4.2-1+deb9u2.debian.tar.xz
 c0cd4d3a535190d028cbfa6b1ffdeb24262282cc 6713 
mbedtls_2.4.2-1+deb9u2_source.buildinfo
Checksums-Sha256:
 da25c581f6287a26542490736310f8df993893683545600ae9df95be4e412914 2248 
mbedtls_2.4.2-1+deb9u2.dsc
 a7e72e80bdeb44f90555348ad40d5e31ed5f01d66d1583bd9a0ebb11ef7ad7fc 18908 
mbedtls_2.4.2-1+deb9u2.debian.tar.xz
 92179f5483779bb3b96c30f9f9c674964460bb2cdc444f8933f082842b3da02d 6713 
mbedtls_2.4.2-1+deb9u2_source.buildinfo
Files:
 d2e54e46950a48b3f8327288daa16ad3 2248 libs optional mbedtls_2.4.2-1+deb9u2.dsc
 72515ee69ddd36c21e530ca77e5ed047 18908 libs optional 
mbedtls_2.4.2-1+deb9u2.debian.tar.xz
 61b0614143b22a11ed8f4da9af858fff 6713 libs optional 
mbedtls_2.4.2-1+deb9u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlqgUg0UHGpjb3dnaWxs
QGRlYmlhbi5vcmcACgkQx/FnbeotAe/uCg/+IlA5q+PXrRKxWlQ1cY1pF9yhmsdr
MJS7L1Es+jlgWIOnQRi2sV6ojJY+vlz/EyXJEzzZcUIVW/QwX64kbkcTyJ0kx/Zy
+BRRq5QIuHqr1NiBzZu2Bfq2oiW8HUGZie//z3hvRLFf7H1x1vi6ABWiPlIta3zb
zIGu+iSVcDVhcvfdj7BdosB9I/osjyTR5wKB0B7n9GChNtRbc+Wnp/LxgNpb1rAT
HzAs//QQ1sFCeI8p7pR1bdYLvqfccUQgg3ZuKUVmDpH7jjIWTjKfhLSXiAN02/5r
+bYUAc+PiDQP/ZNPF6N/DLVm4P7xu05YSv+P9s7K15UpmuxPO3Lwap6FzFeR/+ec
peuI5Sn4NYZph9lF/xeUZayvvl5pfmakwj+C8sJyrXTUxHnFOptyDVX+RB6A9mq5
kNTYgvTH9ubtMxDASNXY0hZWnXwwBXGy8Y2WcqLMwJXPadUVaiZbUZNPTwpCGl7s
XD8a2hgYf0260g0JLAxaV3aS6lH1aYsK8VHJbwQrarz4+E5jqt3aI91vjm+3WBl3
TUPTDlXA9mMqVm8xWRcdenSKRhlyVdtU+coB13LBF9WJSl7a68BYe1eWEbXKfQl8
J32ynL8pRYnjrhRmbJ+r3Jb8y2mAHjnF6iABqrPZwXyIub2Oj4mN15xjSjmNFDjW
xOOTEEiToJiVais=
=yWul
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to