Hi Sawyer,
Thank you for your interest in Mbed TLS. Currently the status of these CVE’s is: - CVE-2020-16150 has been fixed in the latest Mbed TLS release - CVE-2018-1000520 is not a security issue, it had been studied and rejected - CVE-2016-3739 is a vulnerability in an application using Mbed TLS but not in Mbed TLS itself, also it too had been fixed.
Does this answer your question?
(Also, I would like to make a minor clarification: we are not Arm Support. As far as I know Arm does not offer official support for Mbed TLS. Arm only contributes engineers to the Mbed TLS project, and at the moment these engineers are the maintainers of Mbed TLS. We are on this mailing list and try to answer questions, but we are not doing that as official support provided by Arm, but as members of the community. Mbed TLS is supported by the community and this mailing list is indeed the right place to get that support. I apologise for the nitpick, I just wanted to make sure that we are not giving the wrong impressions.)
Best regards, Janos (Mbed TLS developer)
From: mbed-tls mbed-tls-bounces@lists.trustedfirmware.org on behalf of Sawyer Liu via mbed-tls mbed-tls@lists.trustedfirmware.org Reply to: Sawyer Liu sawyer.liu@nxp.com Date: Wednesday, 28 October 2020 at 01:59 To: "mbed-tls@lists.trustedfirmware.org" mbed-tls@lists.trustedfirmware.org Subject: [mbed-tls] About mbedtls CVE
Hello ARM Support, About below CVEs, any update? Thanks.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16150https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2020-16150&data=04%7C01%7Cxiumei.li%40nxp.com%7Ca3de884f420d44cbc6c108d879511e0c%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C637392736588282855%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=GXDoSxW0Ge8OyTrX%2FsqIPgqoir%2Ffu5%2BpHJOF25mHjck%3D&reserved=0 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000520 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3739
Best Regards Sawyer Liu
Microcontrollers, NXP Semiconductors
Thanks Janos. Could you tell me which version has fixed CVE-2020-16150?
在 2020年10月28日,17:40,Janos Follath <Janos.Follath@arm.commailto:Janos.Follath@arm.com> 写道:
CVE-2020-16150
It was fixed in versions Mbed TLS 2.24.0, 2.16.8 and 2.7.17.
We have a security advisory discussing this issue in detail: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advis...
Best regards, Janos
From: Sawyer Liu sawyer.liu@nxp.com Date: Wednesday, 28 October 2020 at 09:54 To: Janos Follath Janos.Follath@arm.com Cc: "mbed-tls@lists.trustedfirmware.org" mbed-tls@lists.trustedfirmware.org Subject: Re: [EXT] Re: [mbed-tls] About mbedtls CVE
Thanks Janos. Could you tell me which version has fixed CVE-2020-16150?
在 2020年10月28日,17:40,Janos Follath <Janos.Follath@arm.commailto:Janos.Follath@arm.com> 写道: CVE-2020-16150
mbed-tls@lists.trustedfirmware.org