mbedtls: upgrade to 2.28.2 to fix CVE-2022-46392, CVE-2022-46393 - linux/meta-openembedded.git - Mirror of git.openembedded.org/meta-openembedded

diff options

author	Stefan Ghinea <stefan.ghinea@windriver.com>	2023-01-26 23:07:40 +0200
committer	Armin Kuster <akuster808@gmail.com>	2023-03-21 14:37:51 -0400
commit	3f9340a9241d497753b330d90d6a3d8332c1ba7f (patch)
tree	fdd380bdfef15e18463238e0edec826a891e3974 /meta-perl/recipes-perl/libxml/libxml-libxml-perl/using-DOCB-conditional.patch
parent	5750c2be10a7f843c602c039643083fb5f6bc40a (diff)
download	meta-openembedded-3f9340a9241d497753b330d90d6a3d8332c1ba7f.tar.gz

mbedtls: upgrade to 2.28.2 to fix CVE-2022-46392, CVE-2022-46393

An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. An adversary with access to precise enough information about memory accesses (typically, an untrusted operating system attacking a secure enclave) can recover an RSA private key after observing the victim performing a single private-key operation, if the window size (MBEDTLS_MPI_WINDOW_SIZE) used for the exponentiation is 3 or smaller. An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. There is a potential heap-based buffer overflow and heap-based buffer over-read in DTLS if MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX. References: https://nvd.nist.gov/vuln/detail/CVE-2022-46392 https://nvd.nist.gov/vuln/detail/CVE-2022-46393 Upstream patches: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2 Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 2ab113e8be42ae2dd61babb8e9a1742684df1f59) Signed-off-by: Armin Kuster <akuster808@gmail.com>

Diffstat (limited to 'meta-perl/recipes-perl/libxml/libxml-libxml-perl/using-DOCB-conditional.patch')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: