Hi Sawyer,

After looking at the issues in more detail I would like to be more precise about CVE-2018-1000520:

It is not a security issue in the context of TLS 1.2
It can be a security issue if TLS 1.0 or TLS 1.1 is used
The severity is so low that we decided not fixing it ourselves, but to open it up for community contributions
The corresponding issue has been closed down by mistake, I am reopening it now: https://github.com/ARMmbed/mbedtls/issues/1561

(Many thanks to Simon Butcher for noticing this and pointing it out.)

Please let me know if I you would like to know more about this issue.

Best regards,

Janos

(Mbed TLS developer)

From: mbed-tls <mbed-tls-bounces@lists.trustedfirmware.org> on behalf of Janos Follath via mbed-tls <mbed-tls@lists.trustedfirmware.org>
Reply to: Janos Follath <Janos.Follath@arm.com>
Date: Wednesday, 28 October 2020 at 09:42
To: Sawyer Liu <sawyer.liu@nxp.com>
Cc: "mbed-tls@lists.trustedfirmware.org" <mbed-tls@lists.trustedfirmware.org>
Subject: Re: [mbed-tls] About mbedtls CVE

Hi Sawyer,

Thank you for your interest in Mbed TLS. Currently the status of these CVE’s is:

- CVE-2020-16150 has been fixed in the latest Mbed TLS release

- CVE-2018-1000520 is not a security issue, it had been studied and rejected

- CVE-2016-3739 is a vulnerability in an application using Mbed TLS but not in Mbed TLS itself, also it too had been fixed.

Does this answer your question?

(Also, I would like to make a minor clarification: we are not Arm Support. As far as I know Arm does not offer official support for Mbed TLS. Arm only contributes engineers to the Mbed TLS project, and at the moment these engineers are the maintainers of Mbed TLS. We are on this mailing list and try to answer questions, but we are not doing that as official support provided by Arm, but as members of the community. Mbed TLS is supported by the community and this mailing list is indeed the right place to get that support. I apologise for the nitpick, I just wanted to make sure that we are not giving the wrong impressions.)

Best regards,

Janos

(Mbed TLS developer)

From: mbed-tls <mbed-tls-bounces@lists.trustedfirmware.org> on behalf of Sawyer Liu via mbed-tls <mbed-tls@lists.trustedfirmware.org>
Reply to: Sawyer Liu <sawyer.liu@nxp.com>
Date: Wednesday, 28 October 2020 at 01:59
To: "mbed-tls@lists.trustedfirmware.org" <mbed-tls@lists.trustedfirmware.org>
Subject: [mbed-tls] About mbedtls CVE

Hello ARM Support,

About below CVEs, any update? Thanks.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16150

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000520

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3739

Best Regards

Sawyer Liu

Microcontrollers, NXP Semiconductors