Control: tag -1 moreinfo Hi,
Sorry about the long delay to this. On Sun, Feb 20, 2022 at 12:25:47PM +0100, Andrea Pappacoda wrote: > This upstream release only contains fixes anyway, I'm not sure that's strictly true: > +Default behavior changes > + * In mbedtls_rsa_context objects, the ver field was formerly documented > + as always 0. It is now reserved for internal purposes and may take > + different values. and arguably: > +Changes > + * Improve the performance of base64 constant-flow code. The result is > still > + slower than the original non-constant-flow implementation, but much > faster > + than the previous constant-flow implementation. Fixes #4814. (not a functional change, but one with some risk). In any case, I'm not sure that CVE-2021-44732 is as serious as you make out. It's impactful yes, but doesn't the out-of-memory condition mean another exploit or outrageous good fortune is also required to trigger this? Thanks, -- Jonathan Wiltshire [email protected] Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
