[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1006169: bullseye-pu: package mbedtls/2.16.12-0+deb11u1

Control: tag -1 moreinfo

Hi,

Sorry about the long delay to this.

On Sun, Feb 20, 2022 at 12:25:47PM +0100, Andrea Pappacoda wrote:
> This upstream release only contains fixes anyway,

I'm not sure that's strictly true:

> +Default behavior changes
> +   * In mbedtls_rsa_context objects, the ver field was formerly documented
> +     as always 0. It is now reserved for internal purposes and may take
> +     different values.

and arguably:

> +Changes
> +   * Improve the performance of base64 constant-flow code. The result is still
> +     slower than the original non-constant-flow implementation, but much faster
> +     than the previous constant-flow implementation. Fixes #4814.

(not a functional change, but one with some risk).

In any case, I'm not sure that CVE-2021-44732 is as serious as you make
out. It's impactful yes, but doesn't the out-of-memory condition mean
another exploit or outrageous good fortune is also required to trigger
this?

Thanks,

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Reply to: