Hi, Fixing the CVE product name from mbedtls uncover a lot of CVEs. Some of these are fixed in the last 2.16 version, but some remain. Here is what I found:
- CVE-2020-36477 and CVE-2022-35409: I added patches in this PR, but they did NOT apply cleanly when cherry-picking them. Original commits: https://github.com/Mbed-TLS/mbedtls/commit/f3e4bd8632b71dc491e52e6df87dc3e409d2b869 https://github.com/Mbed-TLS/mbedtls/commit/e5af9fabf7d68e3807b6ea78792794b8352dbba2 - CVE-2021-43666: Patch is merged in 2.16.12 but CPE do not exclude 2.16.12, so I added it to whitelist. - CVE-2021-45450 and CVE-2021-45451: I believed the CPE are completely wrong here, as PSA was introduced in mbedtls-2.22.0. I may add it to the whitelist, but I believe the CPE has to be modified. - CVE-2021-24119: Fixed in master and has to be backported, but it's not clear which commits exactly fixed the issue. Seems to be be165bd32b87 and some parents (from https://github.com/Mbed-TLS/mbedtls/pull/4305). Best regards, Mathieu
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#99054): https://lists.openembedded.org/g/openembedded-devel/message/99054 Mute This Topic: https://lists.openembedded.org/mt/94108629/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
