[Git][security-tracker-team/security-tracker][master] Reserve DLA-4236-1 for mbedtls

[Andrej Shadura (@andrewsh)]

Andrej Shadura pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8dea3f7e by Andrej Shadura at 2025-06-30T22:10:04+02:00
Reserve DLA-4236-1 for mbedtls

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -230291,7 +230291,6 @@ CVE-2022-46393 (An issue was discovered in Mbed TLS before 2.28.2 and 3.x before
 	NOTE: Fixed by https://github.com/Mbed-TLS/mbedtls/commit/f385fcebee017973cf4137333628a78248f1f443
 CVE-2022-46392 (An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0 ...)
 	- mbedtls 2.28.2-1
-	[bullseye] - mbedtls <no-dsa> (Minor issue)
 	[buster] - mbedtls <postponed> (Minor issue)
 	NOTE: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2
 	NOTE: Issue is most likely related to library/bignum.c and the mbedtls_mpi_exp_mod function.
@@ -309422,7 +309421,6 @@ CVE-2021-44732 (Mbed TLS before 3.0.1 has a double free in certain out-of-memory
 	{DLA-3249-1}
 	[experimental] - mbedtls 2.28.0-0.1
 	- mbedtls 2.28.0-0.3 (bug #1002631)
-	[bullseye] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12
 	NOTE: https://github.com/ARMmbed/mbedtls/commit/eb490aabf6a9f47c074ec476d0d4997c2362cdbc (mbedtls-2.16.12)
 CVE-2021-44731 (A race condition existed in the snapd 2.54.2 snap-confine binary when  ...)
@@ -313901,7 +313899,6 @@ CVE-2021-43667 (A vulnerability has been detected in HyperLedger Fabric v1.4.0,
 CVE-2021-43666 (A Denial of Service vulnerability exists in mbed TLS 3.0.0 and earlier ...)
 	{DLA-3249-1}
 	- mbedtls 2.28.0-1
-	[bullseye] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://github.com/ARMmbed/mbedtls/issues/5136
 	NOTE: Backport 2.16: https://github.com/ARMmbed/mbedtls/pull/5311
 CVE-2021-43665
@@ -334440,7 +334437,6 @@ CVE-2021-36648
 	RESERVED
 CVE-2021-36647 (Use of a Broken or Risky Cryptographic Algorithm in the function mbedt ...)
 	- mbedtls 2.16.11-0.1
-	[bullseye] - mbedtls <no-dsa> (Minor issue)
 	[buster] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-1/
 CVE-2021-36646 (A Cross Site Scrtpting (XSS) vulnerability in KodExplorer 4.45 allows  ...)
@@ -366291,7 +366287,6 @@ CVE-2021-24120
 CVE-2021-24119 (In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in b ...)
 	{DLA-3249-1 DLA-2826-1}
 	- mbedtls 2.16.11-0.1
-	[bullseye] - mbedtls <no-dsa> (Minor issue)
 	NOTE: Fixed in 2.26.0: https://github.com/ARMmbed/mbedtls/releases/tag/v2.26.0
 CVE-2021-24118
 	RESERVED


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[30 Jun 2025] DLA-4236-1 mbedtls - security update
+	{CVE-2021-24119 CVE-2021-36647 CVE-2021-43666 CVE-2021-44732 CVE-2022-46392}
+	[bullseye] - mbedtls 2.16.9-0.1+deb11u1
 [30 Jun 2025] DLA-4235-1 sudo - security update
 	{CVE-2025-32462}
 	[bullseye] - sudo 1.9.5p2-3+deb11u2


=====================================
data/dla-needed.txt
=====================================
@@ -192,10 +192,6 @@ libxmltok
 linux (Ben Hutchings)
   NOTE: 20230111: Perma-added, Linux package specifically delegated to bwh (LTS Team)
 --
-mbedtls
-  NOTE: 20250331: Added by Front-Desk (apo)
-  NOTE: 20250331: Unvalidated pre-LTS PU at https://bugs.debian.org/1006169 (Beuc/front-desk)
---
 mediawiki (guilhem)
   NOTE: 20250412: Added by Front-Desk (Beuc)
   NOTE: 20250412: Upcoming DSA (Beuc/front-desk)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8dea3f7e2b843b98a01081f8a4c79b9f63aa1e83

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8dea3f7e2b843b98a01081f8a4c79b9f63aa1e83
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250630/f3f2077f/attachment-0001.htm>