mbedTLS: Buffer overflow security issue, requires upgrade to 2.7.0 #6025
Assignees
Labels
area: Networking
area: Security
Security
bug
The issue is a bug, or the PR is fixing a bug
priority: high
High impact/importance bug
Milestone
Comments
galak
added a commit
to galak/zephyr
that referenced
this issue
Feb 7, 2018
Due to a security advisory released on February 1st 2018[1], it's advisable to update mbedTLS to 2.7.0. The vulnerability, identified as CVE-2018-0488 and CVE-2018-0487, risk remote code execution when truncated HMAC is enabled or when verifying RSASSA-PSS signatures. [1] https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01 Fixes: zephyrproject-rtos#6025 Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
8 tasks
nashif
pushed a commit
that referenced
this issue
Feb 7, 2018
Due to a security advisory released on February 1st 2018[1], it's advisable to update mbedTLS to 2.7.0. The vulnerability, identified as CVE-2018-0488 and CVE-2018-0487, risk remote code execution when truncated HMAC is enabled or when verifying RSASSA-PSS signatures. [1] https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01 Fixes: #6025 Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There is a pretty obvious, blatant buffer overflow possibility in the mbedTLS codebase (2.6.0) used by Zephyr as of now. It was fixed in 2.7.0 by this commit: Mbed-TLS/mbedtls@0b7b83fd9 .
In the interest of establishing Zephyr as the secure codebase, we should upgrade included mbedTLS for the 1.11 release.
The text was updated successfully, but these errors were encountered: