Package mbedtls updated to version 3.6.3-alt1 for branch c10f2 in task 380993.

Published: 2025-03-25
Modified: 2025-03-25

CVE-2025-27809

Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.

References:

https://github.com/Mbed-TLS/mbedtls/releases
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1/
https://github.com/Mbed-TLS/mbedtls/issues/466
https://mastodon.social/@bagder/114219540623402700

Published: 2025-03-25

CVE-2025-27810

Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases of failed memory allocation or hardware errors, uses uninitialized stack memory to compose the TLS Finished message, potentially leading to authentication bypasses such as replays.

References:

https://github.com/Mbed-TLS/mbedtls/releases
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-2/

Version: 2.1.1

Package mbedtls update in c10f2 on 2025-04-14

ALT-PU-2025-5335-3

Closed vulnerabilities

CVE-2025-27809

CVE-2025-27810