[PATCH 04/11] mbedtls: Update to version 2.16.12
Hauke Mehrtens
hauke at hauke-m.de
Sun Jan 30 10:28:54 PST 2022
On 1/30/22 17:25, Hauke Mehrtens wrote:
> This fixes the following security problems:
> * Zeroize several intermediate variables used to calculate the expected
> value when verifying a MAC or AEAD tag. This hardens the library in
> case the value leaks through a memory disclosure vulnerability. For
> example, a memory disclosure vulnerability could have allowed a
> man-in-the-middle to inject fake ciphertext into a DTLS connection.
> * Fix a double-free that happened after mbedtls_ssl_set_session() or
> mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
> (out of memory). After that, calling mbedtls_ssl_session_free()
> and mbedtls_ssl_free() would cause an internal session buffer to
> be free()'d twice. CVE-2021-44732
>
> The sizes of the ipk changed on MIPS 24Kc like this:
> 182454 libmbedtls12_2.16.11-2_mips_24kc.ipk
> 182742 libmbedtls12_2.16.12-1_mips_24kc.ipk
>
> Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
> ---
> package/libs/mbedtls/Makefile | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
Mbed TLS 2.28 is the new long term branch supported for the next 3
years. We should probably update to this version to continue to get
updates fro master.
https://github.com/ARMmbed/mbedtls/releases/tag/v2.28.0
I would still merge this update of the minor version and we can do the
major version update in a separate step.
Hauke
More information about the openwrt-devel
mailing list