Hi Yuxiang,

Yes, those are the actual commits for fixing the RSA timing side channel vulnerability.

(The following 6 commits add documentation and fix minor build issues. The remaining commits are related to the other security issue and the release.)

Best,

Janos

From: Yuxiang Cao via mbed-tls <mbed-tls@lists.trustedfirmware.org>
Date: Saturday, 27 January 2024 at 19:24
To: mbed-tls@lists.trustedfirmware.org <mbed-tls@lists.trustedfirmware.org>
Subject: [mbed-tls] Question about fix of "Timing side channel in private key RSA operations"

Hi folks,

This is a question about understanding changes in recent new release.

I want to understand how new release e.g. 2.28.7 fix the vulnerable described in https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/.

Want to check that if following commits in new release, for example 2.28.7, are the actual commits for fixing the vulnerable above:

42175031ca48e2fba62b97fc802e5df33d5221ff

4fe396f1e1aa84346e23b89435a251624c205035

aa6760d7b5d9a218eaf072f4155974f58b00986b

601bffc4cec7c78cfc6b64048379172578fce13c

In short, they are first 4 commits in I found https://github.com/Mbed-TLS/mbedtls/compare/v2.28.6...v2.28.7

Thank you for any help you can provide!

Best,

Yuxiang