Overview

Request 830740 accepted

- Do not run testsuite in parallel - its not reliable

- update to 2.23.0:
a lot of changes see https://github.com/ARMmbed/mbedtls/releases/tag/v2.23.0
* Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul Strackx (Fortanix) in #3394.
* Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
* Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). This would cause the original Lucky 13 attack to be possible in those configurations, allowing an active network attacker to recover plaintext after repeated timing measurements under some conditions. Reported and fix suggested by Luc Perneel in #3246.

Loading...
Request History
Martin Pluskal's avatar

pluskalm created request

- Do not run testsuite in parallel - its not reliable

- update to 2.23.0:
a lot of changes see https://github.com/ARMmbed/mbedtls/releases/tag/v2.23.0
* Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul Strackx (Fortanix) in #3394.
* Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
* Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). This would cause the original Lucky 13 attack to be possible in those configurations, allowing an active network attacker to recover plaintext after repeated timing measurements under some conditions. Reported and fix suggested by Luc Perneel in #3246.


Factory Auto's avatar

factory-auto added opensuse-review-team as a reviewer

Please review sources


Factory Auto's avatar

factory-auto accepted review

Check script succeeded


Richard Brown's avatar

RBrownSUSE set openSUSE:Factory:Staging:F as a staging project

Being evaluated by staging project "openSUSE:Factory:Staging:F"


Richard Brown's avatar

RBrownSUSE accepted review

Picked "openSUSE:Factory:Staging:F"


Dominique Leuenberger's avatar

dimstar accepted review


Dominique Leuenberger's avatar

dimstar_suse added factory-staging as a reviewer

Being evaluated by group "factory-staging"


Dominique Leuenberger's avatar

dimstar_suse accepted review

Unstaged from project "openSUSE:Factory:Staging:F"


Richard Brown's avatar

RBrownSUSE set openSUSE:Factory:Staging:B as a staging project

Being evaluated by staging project "openSUSE:Factory:Staging:B"


Richard Brown's avatar

RBrownSUSE accepted review

Picked "openSUSE:Factory:Staging:B"


Saul Goodman's avatar

licensedigger accepted review

ok


Dominique Leuenberger's avatar

dimstar_suse accepted review

Staging Project openSUSE:Factory:Staging:B got accepted.


Dominique Leuenberger's avatar

dimstar_suse approved review

Staging Project openSUSE:Factory:Staging:B got accepted.


Dominique Leuenberger's avatar

dimstar_suse accepted request

Staging Project openSUSE:Factory:Staging:B got accepted.

openSUSE Build Service is sponsored by