Received: by mail.netbsd.org (Postfix, from userid 605)
	id 72EB484E59; Tue,  3 Jan 2023 12:47:53 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by mail.netbsd.org (Postfix) with ESMTP id A1E4384E54
	for <pkgsrc-changes@NetBSD.org>; Tue,  3 Jan 2023 12:47:52 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([IPv6:::1])
	by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025)
	with ESMTP id HEuUAUKT-kD7 for <pkgsrc-changes@netbsd.org>;
	Tue,  3 Jan 2023 12:47:51 +0000 (UTC)
Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984])
	by mail.netbsd.org (Postfix) with ESMTP id C66F284D15
	for <pkgsrc-changes@NetBSD.org>; Tue,  3 Jan 2023 12:47:51 +0000 (UTC)
Received: by cvs.NetBSD.org (Postfix, from userid 500)
	id BFD6CFA90; Tue,  3 Jan 2023 12:47:51 +0000 (UTC)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1672750071122830"
MIME-Version: 1.0
Date: Tue, 3 Jan 2023 12:47:51 +0000
From: "Thomas Klausner" <wiz@netbsd.org>
Subject: CVS commit: pkgsrc/security/mbedtls
To: pkgsrc-changes@NetBSD.org
Reply-To: wiz@netbsd.org
X-Mailer: log_accum
Message-Id: <20230103124751.BFD6CFA90@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
List-Id: <pkgsrc-changes.NetBSD.org>
Precedence: bulk
List-Unsubscribe: <mailto:majordomo@NetBSD.org?subject=Unsubscribe%20pkgsrc-changes&body=unsubscribe%20pkgsrc-changes>

This is a multi-part message in MIME format.

--_----------=_1672750071122830
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	wiz
Date:		Tue Jan  3 12:47:51 UTC 2023

Modified Files:
	pkgsrc/security/mbedtls: Makefile distinfo

Log Message:
mbedtls: update to 2.28.2.

= Mbed TLS 2.28.2 branch released 2022-12-14

Security
   * Fix potential heap buffer overread and overwrite in DTLS if
     MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
     MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.
   * An adversary with access to precise enough information about memory
     accesses (typically, an untrusted operating system attacking a secure
     enclave) could recover an RSA private key after observing the victim
     performing a single private-key operation if the window size used for the
     exponentiation was 3 or smaller. Found and reported by Zili KOU,
     Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks
     and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation
     and Test in Europe 2023.

Bugfix
   * Fix a long-standing build failure when building x86 PIC code with old
     gcc (4.x). The code will be slower, but will compile. We do however
     recommend upgrading to a more recent compiler instead. Fixes #1910.
   * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
     Contributed by Kazuyuki Kimura to fix #2020.
   * Use double quotes to include private header file psa_crypto_cipher.h.
     Fixes 'file not found with <angled> include' error
     when building with Xcode.
   * Fix handling of broken symlinks when loading certificates using
     mbedtls_x509_crt_parse_path(). Instead of returning an error as soon as a
     broken link is encountered, skip the broken link and continue parsing
     other certificate files. Contributed by Eduardo Silva in #2602.
   * Fix a compilation error when using CMake with an IAR toolchain.
     Fixes #5964.
   * Fix bugs and missing dependencies when building and testing
     configurations with only one encryption type enabled in TLS 1.2.
   * Provide the missing definition of mbedtls_setbuf() in some configurations
     with MBEDTLS_PLATFORM_C disabled. Fixes #6118, #6196.
   * Fix compilation errors when trying to build with
     PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
   * Fix memory leak in ssl_parse_certificate_request() caused by
     mbedtls_x509_get_name() not freeing allocated objects in case of error.
     Change mbedtls_x509_get_name() to clean up allocated objects on error.
   * Fix checks on PK in check_config.h for builds with PSA and RSA. This does
     not change which builds actually work, only moving a link-time error to
     an early check.
   * Fix ECDSA verification, where it was not always validating the
     public key. This bug meant that it was possible to verify a
     signature with an invalid public key, in some cases. Reported by
     Guido Vranken using Cryptofuzz in #4420.
   * Fix a possible null pointer dereference if a memory allocation fails
     in TLS PRF code. Reported by Michael Madsen in #6516.
   * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
     bytes when parsing certificates containing a binary RFC 4108
     HardwareModuleName as a Subject Alternative Name extension. Hardware
     serial numbers are now rendered in hex format. Fixes #6262.
   * Fix bug in error reporting in dh_genprime.c where upon failure,
     the error code returned by mbedtls_mpi_write_file() is overwritten
     and therefore not printed.
   * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
     with A > 0 created an unintended representation of the value 0 which was
     not processed correctly by some bignum operations. Fix this. This had no
     consequence on cryptography code, but might affect applications that call
     bignum directly and use negative numbers.
   * Fix undefined behavior (typically harmless in practice) of
     mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int()
     when both operands are 0 and the left operand is represented with 0 limbs.
   * Fix undefined behavior (typically harmless in practice) when some bignum
     functions receive the most negative value of mbedtls_mpi_sint. Credit
     to OSS-Fuzz. Fixes #6597.
   * Fix undefined behavior (typically harmless in practice) in PSA ECB
     encryption and decryption.


To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 pkgsrc/security/mbedtls/Makefile
cvs rdiff -u -r1.18 -r1.19 pkgsrc/security/mbedtls/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_1672750071122830
Content-Disposition: inline
Content-Length: 1553
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/security/mbedtls/Makefile
diff -u pkgsrc/security/mbedtls/Makefile:1.23 pkgsrc/security/mbedtls/Makefile:1.24
--- pkgsrc/security/mbedtls/Makefile:1.23	Thu Aug 11 06:46:43 2022
+++ pkgsrc/security/mbedtls/Makefile	Tue Jan  3 12:47:51 2023
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.23 2022/08/11 06:46:43 wiz Exp $
+# $NetBSD: Makefile,v 1.24 2023/01/03 12:47:51 wiz Exp $
 
-DISTNAME=	mbedtls-2.28.1
+DISTNAME=	mbedtls-2.28.2
 CATEGORIES=	security
 MASTER_SITES=	${MASTER_SITE_GITHUB:=ARMmbed/}
 GITHUB_TAG=	${DISTNAME}

Index: pkgsrc/security/mbedtls/distinfo
diff -u pkgsrc/security/mbedtls/distinfo:1.18 pkgsrc/security/mbedtls/distinfo:1.19
--- pkgsrc/security/mbedtls/distinfo:1.18	Thu Aug 11 06:40:38 2022
+++ pkgsrc/security/mbedtls/distinfo	Tue Jan  3 12:47:51 2023
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.18 2022/08/11 06:40:38 wiz Exp $
+$NetBSD: distinfo,v 1.19 2023/01/03 12:47:51 wiz Exp $
 
-BLAKE2s (mbedtls-2.28.1.tar.gz) = 3486a1a69c491996e86136474339c8f73f2fa168f2cb4a375efb42f7a44a9788
-SHA512 (mbedtls-2.28.1.tar.gz) = cc75027ebbefb4ba1aecdc386cf6b60cceeceda79a474ff5ba67411e41aac9fc2c43c2fb0158be667f1b91e6c19082e17e4e61409acc1498b568f5efc7b00a2c
-Size (mbedtls-2.28.1.tar.gz) = 3914438 bytes
+BLAKE2s (mbedtls-2.28.2.tar.gz) = e2bb03fbe4fd8a0448746245138fe952be66301896d8c2697b2d3c2bf91af87a
+SHA512 (mbedtls-2.28.2.tar.gz) = e459e9b7ba78a536e96842a76c867b08ea3b2ce02cd09e396eadb8760c47edc041e1df541cabe76de52b9b974007829a0288bc9619683f6a601c234b0eece69f
+Size (mbedtls-2.28.2.tar.gz) = 3934889 bytes


--_----------=_1672750071122830--