Hi Yuxiang,
Yes, those are the actual commits for fixing the RSA timing side channel vulnerability.
(The following 6 commits add documentation and fix minor build issues. The remaining commits are related to the other security issue and the release.)
Best, Janos
From: Yuxiang Cao via mbed-tls mbed-tls@lists.trustedfirmware.org Date: Saturday, 27 January 2024 at 19:24 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org Subject: [mbed-tls] Question about fix of "Timing side channel in private key RSA operations" Hi folks,
This is a question about understanding changes in recent new release. I want to understand how new release e.g. 2.28.7 fix the vulnerable described in https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-securi....
Want to check that if following commits in new release, for example 2.28.7, are the actual commits for fixing the vulnerable above:
42175031ca48e2fba62b97fc802e5df33d5221ff 4fe396f1e1aa84346e23b89435a251624c205035 aa6760d7b5d9a218eaf072f4155974f58b00986b 601bffc4cec7c78cfc6b64048379172578fce13c
In short, they are first 4 commits in I found https://github.com/Mbed-TLS/mbedtls/compare/v2.28.6...v2.28.7
Thank you for any help you can provide!
Best, Yuxiang