We have released Mbed TLS versions 3.5.0 and 2.8.5.
These releases of Mbed TLS address several security issues, provide bug fixes, and bring other minor changes. Full details are available in the release notes (https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-2.28.5, https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.5.0).
We recommend all users to consider whether they are impacted, and to upgrade appropriately.
Many Thanks. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hi,
Regarding the vulnerability below that is corrected in these releases:
"Improve padding calculations in CBC decryption, NIST key unwrapping and RSA OAEP decryption. With the previous implementation, some compilers (notably recent versions of Clang and IAR) could produce non-constant time code, which could allow a padding oracle attack if the attacker has access to precise timing measurements."
Do we have any idea if gcc compilers are impacted (and if it is the case, which versions)?
Thanks!
___________
Gilles Piret
Cryptography Engineer
Hi Gilles,
We observed this issue with clang for Thumb1, x86 and x86_64, for most optimisation levels. We also observed it with IAR. We were not able to reproduce this with gcc, but since generated code could change with compiler version, optimisation settings, etc, we cannot guarantee that any particular combination is unaffected.
Sorry for the slow response.
Dave
From: Gilles Piret via mbed-tls mbed-tls@lists.trustedfirmware.org Date: Thursday, 26 October 2023 at 17:29 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org Subject: [mbed-tls] Re: [Mbed-tls-announce] New Mbed TLS releases : 3.5.0 and 2.28.5
Hi,
Regarding the vulnerability below that is corrected in these releases:
"Improve padding calculations in CBC decryption, NIST key unwrapping and RSA OAEP decryption. With the previous implementation, some compilers (notably recent versions of Clang and IAR) could produce non-constant time code, which could allow a padding oracle attack if the attacker has access to precise timing measurements."
Do we have any idea if gcc compilers are impacted (and if it is the case, which versions)?
Thanks!
___________
Gilles Piret
Cryptography Engineer
-- mbed-tls mailing list -- mbed-tls@lists.trustedfirmware.org To unsubscribe send an email to mbed-tls-leave@lists.trustedfirmware.org
mbed-tls@lists.trustedfirmware.org
-
Dave Rodgman -
Gilles Piret -
Minos Galanakis via Mbed-tls-announce