Hi Janos,

       Thank for your clarification.

       I will explain it to my customers.

 

Best Regards

Sawyer Liu

 

From: Janos Follath <Janos.Follath@arm.com>
Sent: Wednesday, November 4, 2020 20:26
To: Sawyer Liu <sawyer.liu@nxp.com>
Cc: mbed-tls@lists.trustedfirmware.org
Subject: [EXT] Re: [mbed-tls] About mbedtls CVE

 

Caution: EXT Email

Hi Sawyer,

 

After looking at the issues in more detail I would like to be more precise about CVE-2018-1000520:

 

(Many thanks to Simon Butcher for noticing this and pointing it out.)

 

Please let me know if I you would like to know more about this issue.

 

Best regards,

Janos

(Mbed TLS developer)

 

From: mbed-tls <mbed-tls-bounces@lists.trustedfirmware.org> on behalf of Janos Follath via mbed-tls <mbed-tls@lists.trustedfirmware.org>
Reply to: Janos Follath <Janos.Follath@arm.com>
Date: Wednesday, 28 October 2020 at 09:42
To: Sawyer Liu <sawyer.liu@nxp.com>
Cc: "mbed-tls@lists.trustedfirmware.org" <mbed-tls@lists.trustedfirmware.org>
Subject: Re: [mbed-tls] About mbedtls CVE

 

Hi Sawyer,

 

Thank you for your interest in Mbed TLS. Currently the status of these CVE’s is:

- CVE-2020-16150 has been fixed in the latest Mbed TLS release

- CVE-2018-1000520 is not a security issue, it had been studied and rejected

- CVE-2016-3739 is a vulnerability in an application using Mbed TLS but not in Mbed TLS itself, also it too had been fixed.

 

Does this answer your question?

 

(Also, I would like to make a minor clarification: we are not Arm Support. As far as I know Arm does not offer official support for Mbed TLS. Arm only contributes engineers to the Mbed TLS project, and at the moment these engineers are the maintainers of Mbed TLS. We are on this mailing list and try to answer questions, but we are not doing that as official support provided by Arm, but as members of the community. Mbed TLS is supported by the community and this mailing list is indeed the right place to get that support. I apologise for the nitpick, I just wanted to make sure that we are not giving the wrong impressions.)

 

Best regards,

Janos

(Mbed TLS developer)

 

From: mbed-tls <mbed-tls-bounces@lists.trustedfirmware.org> on behalf of Sawyer Liu via mbed-tls <mbed-tls@lists.trustedfirmware.org>
Reply to: Sawyer Liu <sawyer.liu@nxp.com>
Date: Wednesday, 28 October 2020 at 01:59
To: "mbed-tls@lists.trustedfirmware.org" <mbed-tls@lists.trustedfirmware.org>
Subject: [mbed-tls] About mbedtls CVE

 

Hello ARM Support,

       About below CVEs, any update? Thanks.

        

         https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16150

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000520

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3739

 

 

Best Regards

Sawyer Liu

 

Microcontrollers, NXP Semiconductors