[3.8] mbedtls: Multiple vulnerabilities (CVE-2018-0497, CVE-2018-0498)
CVE-2018-0497: Remote plaintext recovery on use of CBC based
ciphersuites through
a timing side-channel.
Affected Versions:
All versions of Mbed TLS from version 1.2 upwards, including all 2.1, 2.7 and later releases.
Fixed In Version:
Mbed TLS, including 2.12.0, 2.7.5 or 2.1.14 or later.
References:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02
CVE-2018-0498: When using a CBC based ciphersuite, an attacker with
the ability to execute arbitrary code on
the machine under attack can partially recover the plaintext by use of
cache based side-channels.
Affected Versions:
All versions of Mbed TLS from version 1.2 upwards, including all 2.1, 2.7 and later releases.
Fixed In Version:
Mbed TLS, including 2.12.0, 2.7.5 or 2.1.14 or later.
References:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02
(from redmine: issue id 9239, created on 2018-08-13, closed on 2018-08-14)
- Changesets:
- Revision 1c0e971a by Natanael Copa on 2018-08-13T17:41:22Z:
community/mbedtls: security upgrade to 2.7.5 (CVE-2018-0497,CVE-2018-0498)
fixes #9239