MGASA-2020-0293

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2020-0293.html

Import Source

https://advisories.mageia.org/MGASA-2020-0293.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2020-0293

Published

2020-07-10T15:40:08Z

Modified

2026-04-16T04:25:48.165301Z

Summary

Updated mbedtls packages fix security vulnerability

Details

Updated mbedtls packages fix security vulnerabilities

Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave.

Fix side channel in mbedtlsecpcheckpubpriv() and mbedtlspkparsekey() / mbedtlspkparsekeyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtlsecpmul() / mbedtlsecpmulrestartable() when called with a NULL frng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key.

Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLSSHAxxxALT macros). This would cause the original Lucky 13 attack to be possible in those configurations, allowing an active network attacker to recover plaintext after repeated timing measurements under some conditions.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:7 / mbedtls

Package

Name: mbedtls
Purl: pkg:rpm/mageia/mbedtls?arch=source&distro=mageia-7

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.16.7-1.mga7

Ecosystem specific

{
    "section": "core"
}

Database specific

source

"https://advisories.mageia.org/MGASA-2020-0293.json"