MGASA-2020-0469

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2020-0469.html

Import Source

https://advisories.mageia.org/MGASA-2020-0469.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2020-0469

Published

2020-12-21T21:47:06Z

Modified

2026-04-16T04:25:32.587911Z

Summary

Updated mbedtls packages fix security vulnerabilities

Details

This update provides security bug fixes and minor enhancements.

Limit the size of calculations performed by mbedtlsmpiexpmod to MBEDTLSMPIMAXSIZE to prevent a potential denial of service when generating Diffie-Hellman key pairs.

A failure of the random generator was ignored in mbedtlsmpifill_random(), which is how most uses of randomization in asymmetric cryptography are implemented. This could cause failures or the silent use of non-random values.

Fix a compliance issue whereby the library did not check the tag on the algorithm parameters (only the size) when comparing the signature in the description part of the cert to the real signature.

Zeroising of local buffers and variables which are used for calculations in mbedtlspkcs5pbkdf2hmac(), mbedtlsinternalsha*process(), mbedtlsinternalmd*process() and mbedtlsinternalripemd160process() functions to erase sensitive data from memory.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:7 / mbedtls

Package

Name: mbedtls
Purl: pkg:rpm/mageia/mbedtls?arch=source&distro=mageia-7

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.16.9-1.mga7

Ecosystem specific

{
    "section": "core"
}

Database specific

source

"https://advisories.mageia.org/MGASA-2020-0469.json"