[PATCH 04/11] mbedtls: Update to version 2.16.12

Hauke Mehrtens hauke at hauke-m.de
Sun Jan 30 10:28:54 PST 2022


On 1/30/22 17:25, Hauke Mehrtens wrote:
> This fixes the following security problems:
> * Zeroize several intermediate variables used to calculate the expected
>    value when verifying a MAC or AEAD tag. This hardens the library in
>    case the value leaks through a memory disclosure vulnerability. For
>    example, a memory disclosure vulnerability could have allowed a
>    man-in-the-middle to inject fake ciphertext into a DTLS connection.
> * Fix a double-free that happened after mbedtls_ssl_set_session() or
>    mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
>    (out of memory). After that, calling mbedtls_ssl_session_free()
>    and mbedtls_ssl_free() would cause an internal session buffer to
>    be free()'d twice. CVE-2021-44732
> 
> The sizes of the ipk changed on MIPS 24Kc like this:
> 182454 libmbedtls12_2.16.11-2_mips_24kc.ipk
> 182742 libmbedtls12_2.16.12-1_mips_24kc.ipk
> 
> Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
> ---
>   package/libs/mbedtls/Makefile | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 

Mbed TLS 2.28 is the new long term branch supported for the next 3 
years. We should probably update to this version to continue to get 
updates fro master.
https://github.com/ARMmbed/mbedtls/releases/tag/v2.28.0

I would still merge this update of the minor version and we can do the 
major version update in a separate step.

Hauke



More information about the openwrt-devel mailing list