---
- branch: MAIN
  date: Thu Feb 20 15:27:31 UTC 2020
  files:
  - new: '1.11'
    old: '1.10'
    path: pkgsrc/security/mbedtls/Makefile
    pathrev: pkgsrc/security/mbedtls/Makefile@1.11
    type: modified
  - new: '1.5'
    old: '1.4'
    path: pkgsrc/security/mbedtls/PLIST
    pathrev: pkgsrc/security/mbedtls/PLIST@1.5
    type: modified
  - new: '1.7'
    old: '1.6'
    path: pkgsrc/security/mbedtls/distinfo
    pathrev: pkgsrc/security/mbedtls/distinfo@1.7
    type: modified
  id: 20200220T152731Z.ec17fec633dff10c9022e22dcc2bd71157ea7403
  log: |
    mbedtls: Update to 2.16.4

    Security
       * Fix side channel vulnerability in ECDSA. Our bignum implementation is not
         constant time/constant trace, so side channel attacks can retrieve the
         blinded value, factor it (as it is smaller than RSA keys and not guaranteed
         to have only large prime factors), and then, by brute force, recover the
         key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
       * Zeroize local variables in mbedtls_internal_aes_encrypt() and
         mbedtls_internal_aes_decrypt() before exiting the function. The value of
         these variables can be used to recover the last round key. To follow best
         practice and to limit the impact of buffer overread vulnerabilities (like
         Heartbleed) we need to zeroize them before exiting the function.
         Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
         Grant Hernandez, and Kevin Butler (University of Florida) and
         Dave Tian (Purdue University).
       * Fix side channel vulnerability in ECDSA key generation. Obtaining precise
         timings on the comparison in the key generation enabled the attacker to
         learn leading bits of the ephemeral key used during ECDSA signatures and to
         recover the private key. Reported by Jeremy Dubeuf.
       * Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught
         failures could happen with alternative implementations of AES. Bug
         reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri,
         Sectra.

    Bugfix
       * Remove redundant line for getting the bitlen of a bignum, since the variable
         holding the returned value is overwritten a line after.
         Found by irwir in #2377.
       * Support mbedtls_hmac_drbg_set_entropy_len() and
         mbedtls_ctr_drbg_set_entropy_len() before the DRBG is seeded. Before,
         the initial seeding always reset the entropy length to the compile-time
         default.

    Changes
       * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
         from the cipher abstraction layer. Fixes #2198.
       * Clarify how the interface of the CTR_DRBG and HMAC modules relates to
         NIST SP 800-90A. In particular CTR_DRBG requires an explicit nonce
         to achieve a 256-bit strength if MBEDTLS_ENTROPY_FORCE_SHA256 is set.
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/security/mbedtls'
  unixtime: '1582212451'
  user: nia