Debian Bug report logs -
#963159
mbedtls: CVE-2020-10932
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, James Cowgill <jcowgill@debian.org>
:
Bug#963159
; Package src:mbedtls
.
(Fri, 19 Jun 2020 18:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, James Cowgill <jcowgill@debian.org>
.
(Fri, 19 Jun 2020 18:06:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mbedtls
Version: 2.16.5-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for mbedtls.
CVE-2020-10932[0]:
| An issue was discovered in Arm Mbed TLS before 2.16.6 and 2.7.x before
| 2.7.15. An attacker that can get precise enough side-channel
| measurements can recover the long-term ECDSA private key by (1)
| reconstructing the projective coordinate of the result of scalar
| multiplication by exploiting side channels in the conversion to affine
| coordinates; (2) using an attack described by Naccache, Smart, and
| Stern in 2003 to recover a few bits of the ephemeral scalar from those
| projective coordinates via several measurements; and (3) using a
| lattice attack to get from there to the long-term ECDSA private key
| used for the signatures. Typically an attacker would have sufficient
| access when attacking an SGX enclave and controlling the untrusted OS.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-10932
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10932
[1] https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released
[2] https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-04
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jun 20 13:40:30 2020;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.