Bug 1188493 (CVE-2020-36425) - VUL-0: CVE-2020-36425: mbedtls: incorrectly uses of revocationDate check when deciding whether to honor certificate revocation via a CRL
Summary: VUL-0: CVE-2020-36425: mbedtls: incorrectly uses of revocationDate check when...
Status: RESOLVED FIXED
Alias: CVE-2020-36425
Product: openSUSE Distribution
Classification: openSUSE
Component: Basesystem (show other bugs)
Version: Leap 15.2
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/304565/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-07-20 06:03 UTC by Alexander Bergmann
Modified: 2021-08-06 10:52 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2021-07-20 06:03:04 UTC 
CVE-2020-36425

An issue was discovered in Arm Mbed TLS before 2.24.0. It incorrectly uses a
revocationDate check when deciding whether to honor certificate revocation via a
CRL. In some situations, an attacker can exploit this by changing the local
clock.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36425
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36425
https://github.com/ARMmbed/mbedtls/pull/3433
https://github.com/ARMmbed/mbedtls/issues/3340
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8
https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0
https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.17
https://bugs.gentoo.org/740108
Comment 1 Pedro Monreal Gonzalez 2021-08-05 10:10:47 UTC 
Resolution:
Affected users will want to upgrade to Mbed TLS 2.24.0, 2.16.8 or 2.7.17 depending on the branch they're currently using.

We have fixed versions in:
 * Version 2.16.9 in openSUSE:Leap:15.2:Update
 * Version 2.8.0 in openSUSE:Leap:15.1:Update
Comment 3 Marcus Meissner 2021-08-06 10:52:34 UTC 
done