From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id A9C26941B80 for ; Tue, 20 May 2025 16:27:09 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=F7gKZahEG+0uWgLXK5MyKG3a3WzMf4VPV+IaV40YEy4=; c=relaxed/simple; d=groups.io; h=Subject:To:From:User-Agent:MIME-Version:Date:References:In-Reply-To:Message-ID:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type; s=20240830; t=1747758429; v=1; x=1748017628; b=HaIk/QkThESte8UPwSxItvLZkOJpTqs6WZ6xKnxHhgYQbvzIJQnjj7+6qrChwFOJfiHj+qNO Z6vha5c61qXfXg08Xim52U52QsIDVgcUP3g8pxNLs4ddhOyKHEqxVbRZFprIQaMSCRkKtOSIAOC t+LAkm4FeuqC3gID5QsbfDwuo/QpMhbayY1q9qlYgicKAbldc8KKawmkeIHm4vOa79vkqhbegAd 8YtXSIk0Zzk8evwRPwUEgDmMzoVV/JeFt6KJDbBF0gJOmTMmri0HL46Xb8nLBGj7NKvf6y41QYX uoLHDtlzJRm0OB8BS95qFKiFShTa4saBYZGsZL3HJagSg== X-Received: by 127.0.0.2 with SMTP id D4Q0YY7687511xwkqhsrUvww; Tue, 20 May 2025 09:27:08 -0700 Subject: Re: [edk2-devel] Reg: OpenSSL_3.5.0 & MbedTls_3.6.3 upgrade To: "Ard Biesheuvel" , devel@edk2.groups.io From: "Prarthana Sagar V via groups.io" X-Originating-Location: Taichung, Taichung City, TW (220.135.157.221) X-Originating-Platform: Windows Chrome 136 User-Agent: GROUPS.IO Web Poster MIME-Version: 1.0 Date: Tue, 20 May 2025 09:27:07 -0700 References: In-Reply-To: Message-ID: <7615.1747758427307885733@groups.io> Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,prarthanasv@ami.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: AEOaiOJTSNRXbTT4Cky3hIHCx7686176AA= Content-Type: multipart/alternative; boundary="cZYJzBrVjNBwSncDT5t9" X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240830 header.b="HaIk/QkT"; dmarc=pass (policy=none) header.from=groups.io; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io --cZYJzBrVjNBwSncDT5t9 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable May we know how do EDK2 plans to fix the below CVEs in MbedTLS, if it's dif= ficult to update to next version? mbed TLS-3.3.0 CVE ID Affected Status Notes Document Link CVE-2024-45159 af= fected Consumes the affected version. Affected versions are Mbed TLS 3.2.0 = to 3.6.0 Limited authentication bypass in TLS 1.3 optional client authentic= ation ( https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedt= ls-security-advisory-2024-08-3/ ) CVE-2024-45199 Not sure it getting affect= ed or not There is no sufficient details for affected and not affected deta= ils. CVE-2022-46393 Not affected An issue was discovered in Mbed TLS before= 2.28.2 and 3.x before 3.3.0. CVE-2021-44732 Affected All versions of Mbed = TLS getting affected Double Free in mbedtls_ssl_set_session() in an error c= ase. =E2=80=94 Mbed TLS documentation ( https://mbed-tls.readthedocs.io/en/= latest/security-advisories/mbedtls-security-advisory-2021-12/ ) CVE-2019-14= 697 Not sure it getting affected or not There is no sufficient details for = affected and not affected details. CVE-2022-35409 Not affected Not consume = the affected version. Affected versions are Mbed TLS 2.28.0 to 3.1.0 Buffer= overread in DTLS ClientHello parsing =E2=80=94 Mbed TLS documentation ( ht= tps://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-securit= y-advisory-2022-07/ ) CVE-2024-23744 Not sure it getting affected or not ( = *As of my understanding this CVE is not affected* ) In Nist website, they m= entioned issue was discovered in Mbed TLS 3.5.1. https://github.com/Mbed-TL= S/mbedtls/issues/8694 ( https://github.com/Mbed-TLS/mbedtls/issues/8694 ) C= VE-2024-23775 affected Consumes the affected version. Affected versions are= Mbed TLS 2.28.6 to 3.5.1 Buffer overflow in mbedtls_x509_set_extension() (= https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-secu= rity-advisory-2024-01-2/ ) CVE-2023-43615 affected All versions of Mbed TLS= getting affected Buffer overread in TLS stream cipher suites =E2=80=94 Mbe= d TLS documentation ( https://mbed-tls.readthedocs.io/en/latest/security-ad= visories/mbedtls-security-advisory-2023-10-1/ ) CVE-2023-52353 yes affected= Already fixed in CryptoPkg_57 CVE-2021-43666 Not sure it getting affected = or not This CVE is exits in 3.0.0. not sure about it affects 3.3.0 version = also https://github.com/Mbed-TLS/mbedtls/pull/5155/files ( https://github.c= om/Mbed-TLS/mbedtls/pull/5155/files ) CVE-2018-9989 Not sure it getting aff= ected or not In Nist website, they mentioned like issue is in before 2.8.0 = Mbed TLS version https://nvd.nist.gov/vuln/detail/CVE-2018-9989 ( https://n= vd.nist.gov/vuln/detail/CVE-2018-9989 ) CVE-2021-45451 Not sure it getting = affected or not In Nist website, they mentioned like issue is in before 3.1= .0 Mbed TLS version CVE-2020-36478 Not sure it getting affected or not But = they provided the patch based on the Mbed TLS Version 2.25.0. But our Mbed = TLS version is 3.3.0 Add tag check to cert algorithm check =C2=B7 Mbed-TLS/= mbedtls@ca17ebf ( https://github.com/Mbed-TLS/mbedtls/commit/ca17ebfbc02b57= e2bcb42efe64a5f2002c756ea8 ) CVE-2018-9988 Not sure it getting affected or = not But they provided the patch based on the Mbed TLS Version 2.8.0. But ou= r Mbed TLS version is 3.3.0 https://nvd.nist.gov/vuln/detail/CVE-2018-9988 = ( https://nvd.nist.gov/vuln/detail/CVE-2018-9988 ) CVE-2020-36476 Not sure = it getting affected or not There is no sufficient details for affected and = not affected details. CVE-2021-45450 Not sure it getting affected or not Th= ere is no sufficient details for affected and not affected details. CVE-202= 0-36475 Not sure it getting affected or not There is no sufficient details = for affected and not affected details. CVE-2018-0497 affected All versions = of Mbed TLS from version 1.2 upwards, including all 2.1, 2.7 and later releases Mbed TLS Security Advisory 2018-02 ( https:= //mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-ad= visory-2018-02/ ) CVE-2020-36477 Not affected Based on the NIST website inf= ormation, affected version is 2.24.0. CVE-2020-10941 Not sure it getting af= fected or not There is no sufficient details for affected and not affected = details. CVE-2024-23170 affected Consumes the affected version. Affected ve= rsions are Mbed TLS 2.28.6 to 3.5.1 Timing side channel in private key RSA = operations. =E2=80=94 Mbed TLS documentation ( https://mbed-tls.readthedocs= .io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/ ) CV= E-2020-16150 affected All versions of Mbed TLS getting affected Local side = channel attack on classical CBC decryption in (D)TLS ( https://mbed-tls.rea= dthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2020-09= -1/ ) CVE-2020-28928 Not affected because, we don=E2=80=99t have docker fil= es https://github.com/apache/apisix-docker/pull/166/files ( https://github.= com/apache/apisix-docker/pull/166/files ) -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#121360): https://edk2.groups.io/g/devel/message/121360 Mute This Topic: https://groups.io/mt/113066244/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- --cZYJzBrVjNBwSncDT5t9 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable
May= we know how do EDK2 plans to fix the below CVEs in MbedTLS, if it's diffic= ult to update to next version?
 
mbed TLS-3.3.0=
       
CVE ID Affected Status Notes Document Link
CVE-2024-45159 affected Consumes the affected version. Affected versions are Mbed TLS 3.2.0 to = 3.6.0 Limited authentication bypass in TLS 1.3 optional= client authentication
CVE-2024-45199 Not sure it getting affected or not There is no sufficient details for affected and not affected details.  
CVE-2022-46393 Not affected An issue was discovered in Mbed TLS bef= ore 2.28.2 and 3.x before 3.3.0.  
CVE-2021-44732 Affected All versions of Mbed TLS getting affected Double Free in mbedtls_ssl_set= _session() in an error case. — Mbed TLS documentation<= /td>
CVE-2019-14697 Not sure it getting affected or not There is no sufficient details for affected and not affected details.  
CVE-2022-35409 Not affected Not consume the affected version. Affected versions are Mbed TLS 2.28.0= to 3.1.0 Buffer overread in DTLS ClientHello parsing &= mdash; Mbed TLS documentation
CVE-2024-23744 Not sure it getting affected or not ( As of my understanding th= is CVE is not affected) In Nist website, they mentioned issue was discovered in Mbed TLS 3.5.1.= https://github.com/Mbe= d-TLS/mbedtls/issues/8694
CVE-2024-23775 affected Consumes the affected version. Affected versions are Mbed TLS 2.28.6 to= 3.5.1 = Buffer overflow in mbedtls_x509_set_extension()
CVE-2023-43615 affected All versions of Mbed TLS getting affected Buffer overread in TLS stream cipher suites &= mdash; Mbed TLS documentation
CVE-2023-52353 yes affected Already fixed in CryptoPkg_57  
CVE-2021-43666 Not sure it getting affected or not This CVE is exits in 3.0.0. not sure about it affects 3.3.0 version als= o https://git= hub.com/Mbed-TLS/mbedtls/pull/5155/files
CVE-2018-9989 Not sure it getting affected or not In Nist website, they mentioned like issue is in before 2.8.0 Mbed TLS = version https://nvd.nist.gov/vu= ln/detail/CVE-2018-9989
CVE-2021-45451 Not sure it getting affected or not In Nist website, they mentioned like issue is in before 3.1.0 Mbed TLS = version  
CVE-2020-36478 Not sure it getting affected or not But they provided the patch based on the Mbed TLS Version 2.25.0. But o= ur Mbed TLS version is 3.3.0 Add tag check to cert algorithm check ·= ; Mbed-TLS/mbedtls@ca17ebf
CVE-2018-9988 Not sure it getting affected or not But they provided the patch based on the Mbed TLS Version 2.8.0. But ou= r Mbed TLS version is 3.3.0 https://nvd.nist.gov/vu= ln/detail/CVE-2018-9988
CVE-2020-36476 Not sure it getting affected or not There is no sufficient details for affected and not affected details.  
CVE-2021-45450 Not sure it getting affected or not There is no sufficient details for affected and not affected details.  
CVE-2020-36475 Not sure it getting affected or not There is no sufficient details for affected and not affected details.  
CVE-2018-0497 affected All versions of Mbed TLS from version 1.2 upwards, including
all 2= .1, 2.7 and later releases		 Mbed TLS= Security Advisory 2018-02
CVE-2020-36477 Not affected Based on the NIST website information, affected version is 2.24.0.  
CVE-2020-10941 Not sure it getting affected or not There is no sufficient details for affected and not affected details.  
CVE-2024-23170 affected Consumes the affected version. Affected versions are Mbed TLS 2.28.6 to= 3.5.1 Timing side channel in private key RSA= operations. — Mbed TLS documentation
CVE-2020-16150 affected All versions of Mbed TLS getting affected Local side channel attack on classical CBC decryption i= n (D)TLS
CVE-2020-28928 Not affected because, we don’t have docker files = https://github.com/apache/apisix-docker/pull/166/files
_._,_._,_
Groups.io Links:

=20 You receive all messages sent to this group. =20 =20

View/Reply Online (#121360) | =20 | Mute= This Topic | New Topic
Your Subscriptio= n | Contact Group Owner | Unsubscribe [rebecca@openfw.io]

_._,_._,_
--cZYJzBrVjNBwSncDT5t9--