mbedTLS 2.26.X contains multiple vulnerabilities #56071
Assignees
Labels
area: Security
Security
bug
The issue is a bug, or the PR is fixing a bug
LTS
Long term release branch related
priority: high
High impact/importance bug
Milestone
Comments
ceolin
added
bug
ceolin
added this to To do
in Security features/improvements/documentation
via automation
ceolin
added a commit
to ceolin/zephyr
that referenced
this issue
May 8, 2023
Zephyr mbedTLS was updated to 2.28.x which is a LTS release and address several vulnerabilities affecting 2.26 (version that used to be used on Zephyr LTS). Unfortunately this mbedTLS version is not compatible with TF-M and backporting mbedTLS fixes was not a viable solution. Due this problem we are removing TF-M module from Zephyr's LTS. One still can go and add it to this manifest if needed, but this is no longer "officially" supported. More information in: zephyrproject-rtos#56071 zephyrproject-rtos#54084 Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
ceolin
added a commit
to ceolin/zephyr
that referenced
this issue
May 15, 2023
Zephyr mbedTLS was updated to 2.28.x which is a LTS release and address several vulnerabilities affecting 2.26 (version that used to be used on Zephyr LTS). Unfortunately this mbedTLS version is not compatible with TF-M and backporting mbedTLS fixes was not a viable solution. Due this problem we are removing TF-M module from Zephyr's LTS. One still can go and add it to this manifest if needed, but this is no longer "officially" supported. More information in: zephyrproject-rtos#56071 zephyrproject-rtos#54084 Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
cfriedt
pushed a commit
that referenced
this issue
May 17, 2023
Zephyr mbedTLS was updated to 2.28.x which is a LTS release and address several vulnerabilities affecting 2.26 (version that used to be used on Zephyr LTS). Unfortunately this mbedTLS version is not compatible with TF-M and backporting mbedTLS fixes was not a viable solution. Due this problem we are removing TF-M module from Zephyr's LTS. One still can go and add it to this manifest if needed, but this is no longer "officially" supported. More information in: #56071 #54084 Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
mbedTLS 2.26 used on Zephyr LTS contains several vulnerabilities:
https://www.cvedetails.com/cve/CVE-2021-45450/
https://www.cvedetails.com/cve/CVE-2022-35409/
https://www.cvedetails.com/cve/CVE-2022-46392/
https://www.cvedetails.com/cve/CVE-2022-46393/
Expected behavior
Use an updated version that address known issues.
Impact
Products using this version may be exploited.
Additional context
https://www.cvedetails.com/vulnerability-list/vendor_id-15698/product_id-32568/ARM-Mbed-Tls.html
The text was updated successfully, but these errors were encountered: