Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use mbedTLS 3.6.2 released a few days ago (Oct 15, 2024) #98

Merged
merged 1 commit into from
Oct 18, 2024

Conversation

DL6ER
Copy link
Member

@DL6ER DL6ER commented Oct 18, 2024

What does this implement/fix?

See title. Quoting from https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.2:

This release of Mbed TLS provides the fix for a security vulnerability.

Mbed TLS 3.6 is a long-term support (LTS) branch. It will be supported with bug-fixes and security fixes until at least March 2027.

  • Fix a buffer underrun in mbedtls_pk_write_key_der() when
    called on an opaque key, MBEDTLS_USE_PSA_CRYPTO is enabled,
    and the output buffer is smaller than the actual output.
  • Fix a related buffer underrun in mbedtls_pk_write_key_pem()
    when called on an opaque RSA key, MBEDTLS_USE_PSA_CRYPTO is enabled
    and MBEDTLS_MPI_MAX_SIZE is smaller than needed for a 4096-bit RSA key.
    CVE-2024-49195

Related issue or feature (if applicable): N/A

Pull request in docs with documentation (if applicable): N/A


By submitting this pull request, I confirm the following:

  1. I have read and understood the contributors guide, as well as this entire template. I understand which branch to base my commits and Pull Requests against.
  2. I have commented my proposed changes within the code.
  3. I am willing to help maintain this change if there are issues with it later.
  4. It is compatible with the EUPL 1.2 license
  5. I have squashed any insignificant commits. (git rebase)

Checklist:

  • The code change is tested and works locally.
  • I based my code and PRs against the repositories developmental branch.
  • I signed off all commits. Pi-hole enforces the DCO for all contributions
  • I signed all my commits. Pi-hole requires signatures to verify authorship
  • I have read the above and my PR is ready for review.

Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER DL6ER merged commit 41f22d1 into master Oct 18, 2024
14 checks passed
@DL6ER DL6ER deleted the ftl-build/update_mbedtls branch October 18, 2024 18:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants