[SECURITY] [DLA 4274-1] mbedtls security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4274-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andrej Shadura
August 18, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : mbedtls
Version : 2.16.9-0.1+deb11u2
CVE ID : CVE-2025-47917 CVE-2025-48965 CVE-2025-52496 CVE-2025-52497
Multiple vulnerabilities have been fixed in mbedtls, a lightweight crypto and
SSL/TLS library.
CVE-2025-47917
MbedTLS allows use-after-free in certain situations in the correctly
developed applications.
CVE-2025-48965
The handling of val.p and val.len in mbedtls_asn1_store_named_data was
inconsistent and allowed NULL pointer dereference. The fix for this issue
depended on fixes for two related issues in the same piece of code, which
are now also fixed.
CVE-2025-52496
A race condition in AESNI detection could occur if certain compiler
optimisations were applied, making it possible to extract an AES key from
a multithreaded program or perform a GCM forgery.
CVE-2025-52497
In mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, one-byte
heap-based buffer underflow could occur.
For Debian 11 bullseye, these problems have been fixed in version
2.16.9-0.1+deb11u2.
We recommend that you upgrade your mbedtls packages.
For the detailed security status of mbedtls please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mbedtls
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQSD3NF/RLIsyDZW7aHoRGtKyMdyYQUCaKNjuQAKCRDoRGtKyMdy
YYg4AP46pRdLw5ZLK1cFc6aVZ+jAePsh+GhAGIdN0yGGGT2ODAD/R8SBJO7FH1XJ
d6DCoJksbmeMAD296Hmw+g/F50DtfAY=
=RyNI
-----END PGP SIGNATURE-----
Reply to: