mbedtls - Debian Package Tracker

general

source: mbedtls (main)
version: 3.6.3-1
maintainer: Debian IoT Maintainers (archive) (DMD)
uploaders: Andrea Pappacoda [DMD]
arch: all any
std-ver: 4.7.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.16.0-1
o-o-sec: 2.16.9-0~deb10u1
oldstable: 2.16.9-0.1
old-sec: 2.16.9-0.1+deb11u1
stable: 2.28.3-1
testing: 3.6.3-1
unstable: 3.6.3-1

versioned links

2.16.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.16.9-0~deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.16.9-0.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.16.9-0.1+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.28.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.6.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libmbedcrypto16
libmbedtls-dev (1 bugs: 0, 1, 0, 0)
libmbedtls-doc
libmbedtls21
libmbedx509-7

action needed

A new upstream version is available: 3.6.4 high

A new upstream version 3.6.4 is available, you should consider packaging it.

Created: 2025-07-02 Last update: 2025-07-09 13:33

7 security issues in trixie high

There are 7 open security issues in trixie.

7 important issues:

CVE-2025-47917:
CVE-2025-48965:
CVE-2025-49087:
CVE-2025-49600: In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_verify may accept invalid signatures if hash computation fails and internal errors go unchecked, enabling LMS (Leighton-Micali Signature) forgery in a fault scenario. Specifically, unchecked return values in mbedtls_lms_verify allow an attacker (who can induce a hardware hash accelerator fault) to bypass LMS signature verification by reusing stale stack data, resulting in acceptance of an invalid signature. In mbedtls_lms_verify, the return values of the internal Merkle tree functions create_merkle_leaf_value and create_merkle_internal_value are not checked. These functions return an integer that indicates whether the call succeeded or not. If a failure occurs, the output buffer (Tc_candidate_root_node) may remain uninitialized, and the result of the signature verification is unpredictable. When the software implementation of SHA-256 is used, these functions will not fail. However, with hardware-accelerated hashing, an attacker could use fault injection against the accelerator to bypass verification.
CVE-2025-49601: In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_import_public_key does not check that the input buffer is at least 4 bytes before reading a 32-bit field, allowing a possible out-of-bounds read on truncated input. Specifically, an out-of-bounds read in mbedtls_lms_import_public_key allows context-dependent attackers to trigger a crash or limited adjacent-memory disclosure by supplying a truncated LMS (Leighton-Micali Signature) public-key buffer under four bytes. An LMS public key starts with a 4-byte type indicator. The function mbedtls_lms_import_public_key reads this type indicator before validating the size of its input.
CVE-2025-52496: Mbed TLS before 3.6.4 has a race condition in AESNI detection if certain compiler optimizations occur. An attacker may be able to extract an AES key from a multithreaded program, or perform a GCM forgery.
CVE-2025-52497: Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, via untrusted PEM input.

Created: 2025-07-04 Last update: 2025-07-05 09:21

7 security issues in sid high

There are 7 open security issues in sid.

7 important issues:

CVE-2025-47917:
CVE-2025-48965:
CVE-2025-49087:
CVE-2025-49600: In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_verify may accept invalid signatures if hash computation fails and internal errors go unchecked, enabling LMS (Leighton-Micali Signature) forgery in a fault scenario. Specifically, unchecked return values in mbedtls_lms_verify allow an attacker (who can induce a hardware hash accelerator fault) to bypass LMS signature verification by reusing stale stack data, resulting in acceptance of an invalid signature. In mbedtls_lms_verify, the return values of the internal Merkle tree functions create_merkle_leaf_value and create_merkle_internal_value are not checked. These functions return an integer that indicates whether the call succeeded or not. If a failure occurs, the output buffer (Tc_candidate_root_node) may remain uninitialized, and the result of the signature verification is unpredictable. When the software implementation of SHA-256 is used, these functions will not fail. However, with hardware-accelerated hashing, an attacker could use fault injection against the accelerator to bypass verification.
CVE-2025-49601: In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_import_public_key does not check that the input buffer is at least 4 bytes before reading a 32-bit field, allowing a possible out-of-bounds read on truncated input. Specifically, an out-of-bounds read in mbedtls_lms_import_public_key allows context-dependent attackers to trigger a crash or limited adjacent-memory disclosure by supplying a truncated LMS (Leighton-Micali Signature) public-key buffer under four bytes. An LMS public key starts with a 4-byte type indicator. The function mbedtls_lms_import_public_key reads this type indicator before validating the size of its input.
CVE-2025-52496: Mbed TLS before 3.6.4 has a race condition in AESNI detection if certain compiler optimizations occur. An attacker may be able to extract an AES key from a multithreaded program, or perform a GCM forgery.
CVE-2025-52497: Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, via untrusted PEM input.

Created: 2025-07-04 Last update: 2025-07-05 09:21

11 security issues in bullseye high

There are 11 open security issues in bullseye.

6 important issues:

CVE-2025-27809: Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.
CVE-2025-27810: Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to authentication bypasses such as replays.
CVE-2025-47917:
CVE-2025-48965:
CVE-2025-52496: Mbed TLS before 3.6.4 has a race condition in AESNI detection if certain compiler optimizations occur. An attacker may be able to extract an AES key from a multithreaded program, or perform a GCM forgery.
CVE-2025-52497: Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, via untrusted PEM input.

4 issues postponed or untriaged:

CVE-2024-23170: (needs triaging) An issue was discovered in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2. There was a timing side channel in RSA private operations. This side channel could be sufficient for a local attacker to recover the plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario.
CVE-2024-23775: (needs triaging) Integer Overflow vulnerability in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2, allows attackers to cause a denial of service (DoS) via mbedtls_x509_set_extension().
CVE-2024-28755: (needs triaging) An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When an SSL context was reset with the mbedtls_ssl_session_reset() API, the maximum TLS version to be negotiated was not restored to the configured one. An attacker was able to prevent an Mbed TLS server from establishing any TLS 1.3 connection, potentially resulting in a Denial of Service or forced version downgrade from TLS 1.3 to TLS 1.2.
CVE-2024-28960: (needs triaging) An issue was discovered in Mbed TLS 2.18.0 through 2.28.x before 2.28.8 and 3.x before 3.6.0, and Mbed Crypto. The PSA Crypto API mishandles shared memory.

1 ignored issue:

CVE-2022-35409: An issue was discovered in Mbed TLS before 2.28.1 and 3.x before 3.2.0. In some configurations, an unauthenticated attacker can send an invalid ClientHello message to a DTLS server that causes a heap-based buffer over-read of up to 255 bytes. This can cause a server crash or possibly information disclosure based on error responses. Affected configurations have MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled and MBEDTLS_SSL_IN_CONTENT_LEN less than a threshold that depends on the configuration: 258 bytes if using mbedtls_ssl_cookie_check, and possibly up to 571 bytes with a custom cookie check function.

Created: 2025-03-25 Last update: 2025-07-05 09:21

10 security issues in bookworm high

There are 10 open security issues in bookworm.

4 important issues:

CVE-2025-47917:
CVE-2025-48965:
CVE-2025-52496: Mbed TLS before 3.6.4 has a race condition in AESNI detection if certain compiler optimizations occur. An attacker may be able to extract an AES key from a multithreaded program, or perform a GCM forgery.
CVE-2025-52497: Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, via untrusted PEM input.

6 issues left for the package maintainer to handle:

CVE-2024-23170: (needs triaging) An issue was discovered in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2. There was a timing side channel in RSA private operations. This side channel could be sufficient for a local attacker to recover the plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario.
CVE-2024-23775: (needs triaging) Integer Overflow vulnerability in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2, allows attackers to cause a denial of service (DoS) via mbedtls_x509_set_extension().
CVE-2024-28755: (needs triaging) An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When an SSL context was reset with the mbedtls_ssl_session_reset() API, the maximum TLS version to be negotiated was not restored to the configured one. An attacker was able to prevent an Mbed TLS server from establishing any TLS 1.3 connection, potentially resulting in a Denial of Service or forced version downgrade from TLS 1.3 to TLS 1.2.
CVE-2024-28960: (needs triaging) An issue was discovered in Mbed TLS 2.18.0 through 2.28.x before 2.28.8 and 3.x before 3.6.0, and Mbed Crypto. The PSA Crypto API mishandles shared memory.
CVE-2025-27809: (needs triaging) Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.
CVE-2025-27810: (needs triaging) Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to authentication bypasses such as replays.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-01-22 Last update: 2025-07-05 09:21

lintian reports 2 errors high

Lintian reports 2 errors about this package. You should make the package lintian clean getting rid of them.

Created: 2025-04-10 Last update: 2025-04-10 00:31

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2025-04-12 Last update: 2025-07-09 12:22

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2018-12-08 Last update: 2018-12-08 07:43

news

[rss feed]

[2025-06-30] Accepted mbedtls 2.16.9-0.1+deb11u1 (source) into oldstable-security (Andrej Shadura) (signed by: Andrew Shadura)
[2025-04-08] mbedtls 3.6.3-1 MIGRATED to testing (Debian testing watch)
[2025-04-05] Accepted mbedtls 3.6.3-1 (source) into unstable (Andrea Pappacoda)
[2024-11-23] mbedtls 3.6.2-3 MIGRATED to testing (Debian testing watch)
[2024-11-17] Accepted mbedtls 3.6.2-3 (source) into unstable (Andrea Pappacoda)
[2024-11-06] Accepted mbedtls 3.6.2-2 (source) into unstable (Andrea Pappacoda)
[2024-10-23] Accepted mbedtls 3.6.2-1 (source) into unstable (Andrea Pappacoda)
[2024-10-17] Accepted mbedtls 3.6.0-3 (source) into unstable (Andrea Pappacoda)
[2024-04-25] mbedtls 2.28.8-1 MIGRATED to testing (Debian testing watch)
[2024-04-10] Accepted mbedtls 3.6.0-2 (source) into experimental (Andrea Pappacoda)
[2024-04-08] Accepted mbedtls 3.6.0-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: bage@debian.org)
[2024-03-31] Accepted mbedtls 2.28.8-1 (source) into unstable (Andrea Pappacoda)
[2024-02-29] Accepted mbedtls 2.28.7-1.1 (source) into unstable (Graham Inggs)
[2024-02-03] Accepted mbedtls 2.28.7-1.1~exp1 (source) into experimental (Graham Inggs)
[2024-01-31] mbedtls 2.28.7-1 MIGRATED to testing (Debian testing watch)
[2024-01-31] mbedtls 2.28.7-1 MIGRATED to testing (Debian testing watch)
[2024-01-27] Accepted mbedtls 2.28.7-1 (source) into unstable (Andrea Pappacoda)
[2023-12-27] mbedtls 2.28.6-1 MIGRATED to testing (Debian testing watch)
[2023-12-24] Accepted mbedtls 2.28.6-1 (source) into unstable (Andrea Pappacoda)
[2023-10-14] mbedtls 2.28.5-1 MIGRATED to testing (Debian testing watch)
[2023-10-14] mbedtls 2.28.5-1 MIGRATED to testing (Debian testing watch)
[2023-10-11] Accepted mbedtls 2.28.5-1 (source) into unstable (Philippe Coval)
[2023-09-14] mbedtls 2.28.4-1 MIGRATED to testing (Debian testing watch)
[2023-09-12] Accepted mbedtls 2.28.4-1 (source) into unstable (Andrea Pappacoda)
[2023-04-14] mbedtls 2.28.3-1 MIGRATED to testing (Debian testing watch)
[2023-03-29] Accepted mbedtls 2.28.3-1 (source) into unstable (Andrea Pappacoda)
[2022-12-28] mbedtls 2.28.2-1 MIGRATED to testing (Debian testing watch)
[2022-12-25] Accepted mbedtls 2.16.9-0~deb10u1 (source) into oldstable (Markus Koschany)
[2022-12-15] Accepted mbedtls 2.28.2-1 (source) into unstable (Andrea Pappacoda)
[2022-07-15] mbedtls 2.28.1-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 11
RC: 0
I&N: 10
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (2, 0)
buildd: logs, checks, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.6.2-3ubuntu1
patches for 3.6.2-3ubuntu1