Bug#1006169: bullseye-pu: package mbedtls/2.16.12-0+deb11u1
Control: tag -1 moreinfo
Hi,
Sorry about the long delay to this.
On Sun, Feb 20, 2022 at 12:25:47PM +0100, Andrea Pappacoda wrote:
> This upstream release only contains fixes anyway,
I'm not sure that's strictly true:
> +Default behavior changes
> + * In mbedtls_rsa_context objects, the ver field was formerly documented
> + as always 0. It is now reserved for internal purposes and may take
> + different values.
and arguably:
> +Changes
> + * Improve the performance of base64 constant-flow code. The result is still
> + slower than the original non-constant-flow implementation, but much faster
> + than the previous constant-flow implementation. Fixes #4814.
(not a functional change, but one with some risk).
In any case, I'm not sure that CVE-2021-44732 is as serious as you make
out. It's impactful yes, but doesn't the out-of-memory condition mean
another exploit or outrageous good fortune is also required to trigger
this?
Thanks,
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Reply to: