UPDATE security/polarssl

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

UPDATE security/polarssl

Björn Ketelaars
Diff below brings mbedtls to 2.14.1, which fixes CVE-2018-19608.
Overview on changes can be found at
https://tls.mbed.org/tech-updates/releases/mbedtls-2.14.1-2.7.8-and-2.1.17-released

Minor of mbedcrypto has been bumped as symbols have been added.

make test runs successfully on amd64. Build tested its consumers, and
lightly tested with net/openvpn,mbedtls.

OK?


diff --git Makefile Makefile
index 2003be6c7a8..f5b20abbb8b 100644
--- Makefile
+++ Makefile
@@ -2,12 +2,12 @@
 
 COMMENT= SSL library with an intuitive API and readable source code
 
-DISTNAME= mbedtls-2.14.0
+DISTNAME= mbedtls-2.14.1
 EXTRACT_SUFX= -gpl.tgz
 
 # check SOVERSION
 SHARED_LIBS +=  mbedtls                   6.0 # 12
-SHARED_LIBS +=  mbedcrypto                4.0 # 3
+SHARED_LIBS +=  mbedcrypto                4.1 # 3
 SHARED_LIBS +=  mbedx509                  3.0 # 0
 
 CATEGORIES= security
diff --git distinfo distinfo
index 2712310e561..9b91233d01d 100644
--- distinfo
+++ distinfo
@@ -1,2 +1,2 @@
-SHA256 (mbedtls-2.14.0-gpl.tgz) = fGLsAqV348ygHujNFh4eNpU3cUoUjvqv55iHudlVppE=
-SIZE (mbedtls-2.14.0-gpl.tgz) = 2471418
+SHA256 (mbedtls-2.14.1-gpl.tgz) = uqESGVJ4b1ssZsUiJqjKDgUSbekg0XViZlUd9neRW34=
+SIZE (mbedtls-2.14.1-gpl.tgz) = 2477521

Reply | Threaded
Open this post in threaded view
|

Re: UPDATE security/polarssl

Klemens Nanni-2
On Fri, Dec 07, 2018 at 06:34:31AM +0100, Björn Ketelaars wrote:
> Diff below brings mbedtls to 2.14.1, which fixes CVE-2018-19608.
> Overview on changes can be found at
> https://tls.mbed.org/tech-updates/releases/mbedtls-2.14.1-2.7.8-and-2.1.17-released
>
> Minor of mbedcrypto has been bumped as symbols have been added.
OK

Can you add a CVE quirks for this?

Reply | Threaded
Open this post in threaded view
|

Re: UPDATE security/polarssl

Jeremie Courreges-Anglas-2
In reply to this post by Björn Ketelaars
On Fri, Dec 07 2018, Björn Ketelaars <[hidden email]> wrote:

> Diff below brings mbedtls to 2.14.1, which fixes CVE-2018-19608.
> Overview on changes can be found at
> https://tls.mbed.org/tech-updates/releases/mbedtls-2.14.1-2.7.8-and-2.1.17-released
>
> Minor of mbedcrypto has been bumped as symbols have been added.
>
> make test runs successfully on amd64. Build tested its consumers, and
> lightly tested with net/openvpn,mbedtls.
>
> OK?

ok jca@

>
> diff --git Makefile Makefile
> index 2003be6c7a8..f5b20abbb8b 100644
> --- Makefile
> +++ Makefile
> @@ -2,12 +2,12 @@
>  
>  COMMENT= SSL library with an intuitive API and readable source code
>  
> -DISTNAME= mbedtls-2.14.0
> +DISTNAME= mbedtls-2.14.1
>  EXTRACT_SUFX= -gpl.tgz
>  
>  # check SOVERSION
>  SHARED_LIBS +=  mbedtls                   6.0 # 12
> -SHARED_LIBS +=  mbedcrypto                4.0 # 3
> +SHARED_LIBS +=  mbedcrypto                4.1 # 3
>  SHARED_LIBS +=  mbedx509                  3.0 # 0
>  
>  CATEGORIES= security
> diff --git distinfo distinfo
> index 2712310e561..9b91233d01d 100644
> --- distinfo
> +++ distinfo
> @@ -1,2 +1,2 @@
> -SHA256 (mbedtls-2.14.0-gpl.tgz) = fGLsAqV348ygHujNFh4eNpU3cUoUjvqv55iHudlVppE=
> -SIZE (mbedtls-2.14.0-gpl.tgz) = 2471418
> +SHA256 (mbedtls-2.14.1-gpl.tgz) = uqESGVJ4b1ssZsUiJqjKDgUSbekg0XViZlUd9neRW34=
> +SIZE (mbedtls-2.14.1-gpl.tgz) = 2477521

--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE