Hi Sawyer,
After looking at the issues in more detail I would like to be more precise about CVE-2018-1000520:
* It is not a security issue in the context of TLS 1.2 * It can be a security issue if TLS 1.0 or TLS 1.1 is used * The severity is so low that we decided not fixing it ourselves, but to open it up for community contributions * The corresponding issue has been closed down by mistake, I am reopening it now: https://github.com/ARMmbed/mbedtls/issues/1561
(Many thanks to Simon Butcher for noticing this and pointing it out.)
Please let me know if I you would like to know more about this issue.
Best regards, Janos (Mbed TLS developer)
From: mbed-tls mbed-tls-bounces@lists.trustedfirmware.org on behalf of Janos Follath via mbed-tls mbed-tls@lists.trustedfirmware.org Reply to: Janos Follath Janos.Follath@arm.com Date: Wednesday, 28 October 2020 at 09:42 To: Sawyer Liu sawyer.liu@nxp.com Cc: "mbed-tls@lists.trustedfirmware.org" mbed-tls@lists.trustedfirmware.org Subject: Re: [mbed-tls] About mbedtls CVE
Hi Sawyer,
Thank you for your interest in Mbed TLS. Currently the status of these CVE’s is: - CVE-2020-16150 has been fixed in the latest Mbed TLS release - CVE-2018-1000520 is not a security issue, it had been studied and rejected - CVE-2016-3739 is a vulnerability in an application using Mbed TLS but not in Mbed TLS itself, also it too had been fixed.
Does this answer your question?
(Also, I would like to make a minor clarification: we are not Arm Support. As far as I know Arm does not offer official support for Mbed TLS. Arm only contributes engineers to the Mbed TLS project, and at the moment these engineers are the maintainers of Mbed TLS. We are on this mailing list and try to answer questions, but we are not doing that as official support provided by Arm, but as members of the community. Mbed TLS is supported by the community and this mailing list is indeed the right place to get that support. I apologise for the nitpick, I just wanted to make sure that we are not giving the wrong impressions.)
Best regards, Janos (Mbed TLS developer)
From: mbed-tls mbed-tls-bounces@lists.trustedfirmware.org on behalf of Sawyer Liu via mbed-tls mbed-tls@lists.trustedfirmware.org Reply to: Sawyer Liu sawyer.liu@nxp.com Date: Wednesday, 28 October 2020 at 01:59 To: "mbed-tls@lists.trustedfirmware.org" mbed-tls@lists.trustedfirmware.org Subject: [mbed-tls] About mbedtls CVE
Hello ARM Support, About below CVEs, any update? Thanks.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16150https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2020-16150&data=04%7C01%7Cxiumei.li%40nxp.com%7Ca3de884f420d44cbc6c108d879511e0c%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C637392736588282855%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=GXDoSxW0Ge8OyTrX%2FsqIPgqoir%2Ffu5%2BpHJOF25mHjck%3D&reserved=0 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000520 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3739
Best Regards Sawyer Liu
Microcontrollers, NXP Semiconductors
Hi Janos, Thank for your clarification. I will explain it to my customers.
Best Regards Sawyer Liu
From: Janos Follath Janos.Follath@arm.com Sent: Wednesday, November 4, 2020 20:26 To: Sawyer Liu sawyer.liu@nxp.com Cc: mbed-tls@lists.trustedfirmware.org Subject: [EXT] Re: [mbed-tls] About mbedtls CVE
Caution: EXT Email Hi Sawyer,
After looking at the issues in more detail I would like to be more precise about CVE-2018-1000520:
* It is not a security issue in the context of TLS 1.2 * It can be a security issue if TLS 1.0 or TLS 1.1 is used * The severity is so low that we decided not fixing it ourselves, but to open it up for community contributions * The corresponding issue has been closed down by mistake, I am reopening it now: https://github.com/ARMmbed/mbedtls/issues/1561https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FARMmbed%2Fmbedtls%2Fissues%2F1561&data=04%7C01%7Csawyer.liu%40nxp.com%7Cdf0e832b322c4c1ddba908d880bcc40c%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C1%7C637400895533229172%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=OFWKKaqRphmIGqINUmwNJAYA5PRjnbBhn1GxLMjjvAU%3D&reserved=0
(Many thanks to Simon Butcher for noticing this and pointing it out.)
Please let me know if I you would like to know more about this issue.
Best regards, Janos (Mbed TLS developer)
From: mbed-tls <mbed-tls-bounces@lists.trustedfirmware.orgmailto:mbed-tls-bounces@lists.trustedfirmware.org> on behalf of Janos Follath via mbed-tls <mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org> Reply to: Janos Follath <Janos.Follath@arm.commailto:Janos.Follath@arm.com> Date: Wednesday, 28 October 2020 at 09:42 To: Sawyer Liu <sawyer.liu@nxp.commailto:sawyer.liu@nxp.com> Cc: "mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org" <mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org> Subject: Re: [mbed-tls] About mbedtls CVE
Hi Sawyer,
Thank you for your interest in Mbed TLS. Currently the status of these CVE’s is: - CVE-2020-16150 has been fixed in the latest Mbed TLS release - CVE-2018-1000520 is not a security issue, it had been studied and rejected - CVE-2016-3739 is a vulnerability in an application using Mbed TLS but not in Mbed TLS itself, also it too had been fixed.
Does this answer your question?
(Also, I would like to make a minor clarification: we are not Arm Support. As far as I know Arm does not offer official support for Mbed TLS. Arm only contributes engineers to the Mbed TLS project, and at the moment these engineers are the maintainers of Mbed TLS. We are on this mailing list and try to answer questions, but we are not doing that as official support provided by Arm, but as members of the community. Mbed TLS is supported by the community and this mailing list is indeed the right place to get that support. I apologise for the nitpick, I just wanted to make sure that we are not giving the wrong impressions.)
Best regards, Janos (Mbed TLS developer)
From: mbed-tls <mbed-tls-bounces@lists.trustedfirmware.orgmailto:mbed-tls-bounces@lists.trustedfirmware.org> on behalf of Sawyer Liu via mbed-tls <mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org> Reply to: Sawyer Liu <sawyer.liu@nxp.commailto:sawyer.liu@nxp.com> Date: Wednesday, 28 October 2020 at 01:59 To: "mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org" <mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org> Subject: [mbed-tls] About mbedtls CVE
Hello ARM Support, About below CVEs, any update? Thanks.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16150https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2020-16150&data=04%7C01%7Csawyer.liu%40nxp.com%7Cdf0e832b322c4c1ddba908d880bcc40c%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C1%7C637400895533229172%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=hnVEJspZ5OcSOcP6Ll%2BIRury6JJSJwD5BRQ%2BIIK0D8E%3D&reserved=0 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000520https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2018-1000520&data=04%7C01%7Csawyer.liu%40nxp.com%7Cdf0e832b322c4c1ddba908d880bcc40c%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C1%7C637400895533239138%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=nvcvku3%2B9u5uK3kGAvb29nLGLZ28I9Xop3OqrYfYIe8%3D&reserved=0 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3739https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2016-3739&data=04%7C01%7Csawyer.liu%40nxp.com%7Cdf0e832b322c4c1ddba908d880bcc40c%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C1%7C637400895533239138%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=9Vp9naXZWjwlKzB8UrpFrJ4oLM%2BytAS1N2L0RKckWes%3D&reserved=0
Best Regards Sawyer Liu
Microcontrollers, NXP Semiconductors
mbed-tls@lists.trustedfirmware.org