{"id":2225317,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2225317/?format=json","web_url":"http://patchwork.ozlabs.org/project/buildroot/patch/20260420202031.210609-1-thomas.perale@mind.be/","project":{"id":27,"url":"http://patchwork.ozlabs.org/api/1.1/projects/27/?format=json","name":"Buildroot development","link_name":"buildroot","list_id":"buildroot.buildroot.org","list_email":"buildroot@buildroot.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260420202031.210609-1-thomas.perale@mind.be>","date":"2026-04-20T20:20:31","name":"package/mbedtls: security bump to v3.6.6","commit_ref":null,"pull_url":null,"state":"accepted","archived":false,"hash":"53c4d3465e842be4ece8169e5a950cd54b45420a","submitter":{"id":87308,"url":"http://patchwork.ozlabs.org/api/1.1/people/87308/?format=json","name":"Thomas Perale","email":"thomas.perale@mind.be"},"delegate":{"id":89618,"url":"http://patchwork.ozlabs.org/api/1.1/users/89618/?format=json","username":"juju","first_name":"Julien","last_name":"Olivain","email":"juju@cotds.org"},"mbox":"http://patchwork.ozlabs.org/project/buildroot/patch/20260420202031.210609-1-thomas.perale@mind.be/mbox/","series":[{"id":500675,"url":"http://patchwork.ozlabs.org/api/1.1/series/500675/?format=json","web_url":"http://patchwork.ozlabs.org/project/buildroot/list/?series=500675","date":"2026-04-20T20:20:31","name":"package/mbedtls: security bump to v3.6.6","version":1,"mbox":"http://patchwork.ozlabs.org/series/500675/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2225317/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2225317/checks/","tags":{},"headers":{"Return-Path":"","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=prWmqZnu;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=140.211.166.136; helo=smtp3.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzxgt1S8zz1yCv\n\tfor ;\n Tue, 21 Apr 2026 06:20:41 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 172F661114;\n\tMon, 20 Apr 2026 20:20:40 +0000 (UTC)","from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id Jut1jeVoUE0y; Mon, 20 Apr 2026 20:20:38 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 9DF9D61115;\n\tMon, 20 Apr 2026 20:20:38 +0000 (UTC)","from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])\n by lists1.osuosl.org (Postfix) with ESMTP id 23B3624D\n for ; Mon, 20 Apr 2026 20:20:37 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp4.osuosl.org (Postfix) with ESMTP id 158AB40A21\n for ; Mon, 20 Apr 2026 20:20:37 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id fuyXfdRatCHy for ;\n Mon, 20 Apr 2026 20:20:36 +0000 (UTC)","from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com\n [IPv6:2a00:1450:4864:20::32b])\n by smtp4.osuosl.org (Postfix) with ESMTPS id D2C40409BC\n for ; Mon, 20 Apr 2026 20:20:35 +0000 (UTC)","by mail-wm1-x32b.google.com with SMTP id\n 5b1f17b1804b1-488a9033b2cso39632505e9.2\n for ; Mon, 20 Apr 2026 13:20:35 -0700 (PDT)","from arch (94.105.119.19.dyn.edpnet.net. [94.105.119.19])\n by smtp.gmail.com with ESMTPSA id\n ffacd0b85a97d-43fe4e3a397sm34561895f8f.23.2026.04.20.13.20.32\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Mon, 20 Apr 2026 13:20:32 -0700 (PDT)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver= ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp3.osuosl.org 9DF9D61115","OpenDKIM Filter v2.11.0 smtp4.osuosl.org D2C40409BC"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1776716438;\n\tbh=oRpirXqXNhYbzNiwB8pR2AOabg1RnyUrxAAna4VaNc8=;\n\th=To:Cc:Date:Subject:List-Id:List-Unsubscribe:List-Archive:\n\t List-Post:List-Help:List-Subscribe:From:Reply-To:From;\n\tb=prWmqZnuZwm+uL9IMWhcLVIncNjo7AUsJsgdLosblFJYRV9NzLSs8h+Wx675ro/jK\n\t 5CFor3BM3roGztPUEBrYBBc8brKpQyjxTv2vJJnPkBPLJapXu+ShQo7pNGlDTW2SzH\n\t F/69hS2dt/sNl6e1VBTEjnLQefoM8t28lgKQ1xClonbj8RzsALtCVjwijqaptXJFdl\n\t 9i+N5r54QCkxg0U6wKK7nFy+sV84uOwvTYGZneFTpDvJzqmuPPI0ox8ETqqRdfgwRV\n\t CVVGLbh0NPnF9Q+sqnl001ALLP7nq2oxE81AQnPmMVHffIT4UXGyzD3H9AG+z8EDzz\n\t ugOKIQ+4Mk33g==","Received-SPF":"Pass (mailfrom) identity=mailfrom;\n client-ip=2a00:1450:4864:20::32b; helo=mail-wm1-x32b.google.com;\n envelope-from=thomas.perale@essensium.com; receiver=","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp4.osuosl.org D2C40409BC","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776716433; x=1777321233;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=RrhckuZpSEtaK5iugrHs8u6LUxU5oDUxMYholAL6uUI=;\n b=CU9bSLejgQQg4ePLOsyJ5YamrHyKqDOpxwFt/vv/h5dkP+Z4Rham9H1M5Y4n+K17SZ\n 9AtEbQbOYFHc7vFtVeP1uoCZiNY3NySDPGEmBSpVo4pMgzc6Wj1kPI4Pqac4+VcOvJqa\n 6dBqgE7OPoe7G+LaE6PAZYex3yynBiGOQLDit8xLKSNsmwIBfBUPz3oKtBFTGnCeg4E1\n B9e51obxal9m7rlA3E8lo4NLwrnPGor2ScmomNXHZZ5EPu/ShfCaKl92RA3gRAu2CBFJ\n 4tKc7Mfcf8Jpw2ZAkWTTbnlvNX3pMcUk77xphCwxPhp3gFZh7i1/yKA5S5XQBBa3WNGK\n p8bQ==","X-Gm-Message-State":"AOJu0Yz1OL/glGdiYZ4bqyJ4qNx3UKMJ86/BMqI1Zx4o09FgjsmSoCnp\n 3wgPnqE87A9YVSaqZaa67Oj3lKUSyV0XFWuV/6T3dh2A+U1zLyvqzB/DEiRXom6vCa/SdMPbwEr\n P/RrA","X-Gm-Gg":"AeBDieuxkQ2M4h44gYWFuR/HVGtN6jALWO4CAtl1X0jnnXqPSosgqPY4SIRoWkM2EJZ\n UV5bNRchkA4zMoGsuxEt5Pt5K0NFBPqO0c4tzgdaXfJ0WR62mdoac5vOZ+CJdZfj238JJc4DCf+\n DFYUEbq/3mb9LkWUN3c431tj9sAh9XBiMyWoEXSngc+6tBevobr3hYRwTj+wfMsm1VzL4d7L8Xx\n sBnY4uFyD7f+H7/4qtbY/g45tzs91VIQZgsS5xDynoLV2jWJgWtKKZLbCo09mpeSqXYL8kxg0Ht\n bKsf2artzrxbs9k7jvVceXDvovRv67mT+Q2B6U72BIKWbTgMXjaGFFVKlVj9eqj09JcDN91Vo0U\n oHYCRQPwKQP5mMeUAd4DjHxsZpX7+ANLbm2+aO3kyHjEv13pVRl1tRa5RFH3F0iXJhsB5UyKnTP\n 5lsnmrRna8DT4SsGbLQtW7fKrJmP15uhiFWmyKjSNDlAJBC0VOvfgyklLsOWVbCUwFow==","X-Received":"by 2002:a05:600c:8b8a:b0:489:149a:f9e7 with SMTP id\n 5b1f17b1804b1-489149afa2bmr107736665e9.27.1776716432830;\n Mon, 20 Apr 2026 13:20:32 -0700 (PDT)","To":"buildroot@buildroot.org","Cc":"Fabrice Fontaine ","Date":"Mon, 20 Apr 2026 22:20:31 +0200","Message-ID":"<20260420202031.210609-1-thomas.perale@mind.be>","X-Mailer":"git-send-email 2.53.0","MIME-Version":"1.0","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=mind.be; s=google; t=1776716433; x=1777321233; darn=buildroot.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=RrhckuZpSEtaK5iugrHs8u6LUxU5oDUxMYholAL6uUI=;\n b=iSZ2A79R4mqso/X7cLs91KZtNSORWlrL8PYT1xTmytMClpbWAuocLXQ4DavjuRTXq2\n 1yR30dC/ZFWoCQ9QzcT8Bw3g/AEznBmbZRi76U/A8/JlW2OFQyRjv7Z/2Z6M1E4CZJyT\n azaMwyntGd2Vw9G27l/s3vjoSgMv1R0AsitMRP4XknfMekPWr7CkceoHiN85Ye0smjKZ\n 0MlXFMmhh31ZQxLhHcjvS77vTiLnMZxWClsu9RT9WhrLL7aHIQwT/yeyKVx3lCCqfWc+\n aN3lzw/UhRigAhxhl3gK+77gI/zoU4D9kPqkqtVkryKAerfdDemH8eMcOlhNNgA1C1Tc\n yLaQ==","X-Mailman-Original-Authentication-Results":["smtp4.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=mind.be","smtp4.osuosl.org;\n dkim=pass (2048-bit key) header.d=mind.be header.i=@mind.be\n header.a=rsa-sha256 header.s=google header.b=iSZ2A79R"],"Subject":"[Buildroot] [PATCH] package/mbedtls: security bump to v3.6.6","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","From":"Thomas Perale via buildroot ","Reply-To":"Thomas Perale ","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" "},"content":"For more information about the release, see:\n\n- https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.6\n- https://github.com/Mbed-TLS/mbedtls/compare/mbedtls-3.6.5..mbedtls-3.6.6\n\nFixes the following vulnerabilities:\n\n- CVE-2025-66442\n In Mbed TLS through 4.0.0, there is a compiler-induced timing side\n channel (in RSA and CBC/ECB decryption) that only occurs with LLVM's\n select-optimize feature. TF-PSA-Crypto through 1.0.0 is also affected.\n\nFor more information, see:\n - https://www.cve.org/CVERecord?id=CVE-2025-66442\n - https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-compiler-induced-constant-time-violations/\n\n- CVE-2026-25833:\n Mbed TLS 3.5.0 to 3.6.5 fixed in 3.6.6 and 4.1.0 has a buffer overflow\n in the x509_inet_pton_ipv6() function\n\nFor more information, see:\n - https://www.cve.org/CVERecord?id=CVE-2026-25833\n - https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-inet-pton/\n\n- CVE-2026-25834:\n Mbed TLS v3.3.0 up to 3.6.5 and 4.0.0 allows Algorithm Downgrade.\n\nFor more information, see:\n - https://www.cve.org/CVERecord?id=CVE-2026-25834\n - https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-sigalg-injection/\n\n- CVE-2026-25835:\n Mbed TLS before 3.6.6 and TF-PSA-Crypto before 1.1.0 misuse seeds in a\n Pseudo-Random Number Generator (PRNG).\n\nFor more information, see:\n - https://www.cve.org/CVERecord?id=CVE-2026-25835\n - https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-rng-cloning/\n\n- CVE-2026-34871:\n An issue was discovered in Mbed TLS before 3.6.6 and 4.x before 4.1.0\n and TF-PSA-Crypto before 1.1.0. There is a Predictable Seed in a\n Pseudo-Random Number Generator (PRNG).\n\nFor more information, see:\n - https://www.cve.org/CVERecord?id=CVE-2026-34871\n - https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-dev-random/\n\n- CVE-2026-34872:\n An issue was discovered in Mbed TLS 3.5.x and 3.6.x through 3.6.5 and\n TF-PSA-Crypto 1.0. There is a lack of contributory behavior in FFDH\n due to improper input validation. Using finite-field Diffie-Hellman,\n the other party can force the shared secret into a small set of values\n (lack of contributory behavior). This is a problem for protocols that\n depend on contributory behavior (which is not the case for TLS). The\n attack can be carried by the peer, or depending on the protocol by an\n active network attacker (person in the middle).\n\nFor more information, see:\n - https://www.cve.org/CVERecord?id=CVE-2026-34872\n - https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-ffdh-peerkey-checks/\n\n- CVE-2026-34873:\n An issue was discovered in Mbed TLS 3.5.0 through 4.0.0. Client\n impersonation can occur while resuming a TLS 1.3 session.\n\nFor more information, see:\n - https://www.cve.org/CVERecord?id=CVE-2026-34873\n - https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-client-impersonation-while-resuming-tls13-session/\n\n- CVE-2026-34874:\n An issue was discovered in Mbed TLS through 3.6.5 and 4.x through\n 4.0.0. There is a NULL pointer dereference in distinguished name\n parsing that allows an attacker to write to address 0.\n\nFor more information, see:\n - https://www.cve.org/CVERecord?id=CVE-2026-34874\n - https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-null-pointer-dereference-x509/\n\n- CVE-2026-34875:\n An issue was discovered in Mbed TLS through 3.6.5 and TF-PSA-Crypto\n 1.0.0. A buffer overflow can occur in public key export for FFDH keys.\n\nFor more information, see:\n - https://www.cve.org/CVERecord?id=CVE-2026-34875\n - https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-ffdh-buffer-overflow/\n\n- CVE-2026-34876:\n An issue was discovered in Mbed TLS 3.x before 3.6.6. An out-of-bounds\n read vulnerability in mbedtls_ccm_finish() in library/ccm.c allows\n attackers to obtain adjacent CCM context data via invocation of the\n multipart CCM API with an oversized tag_len parameter. This is caused\n by missing validation of the tag_len parameter against the size of the\n internal 16-byte authentication buffer. The issue affects the public\n multipart CCM API in Mbed TLS 3.x, where mbedtls_ccm_finish() can be\n invoked directly by applications. In Mbed TLS 4.x versions prior to\n the fix, the same missing validation exists in the internal\n implementation; however, the function is not exposed as part of the\n public API. Exploitation requires application-level invocation of the\n multipart CCM API.\n\nFor more information, see:\n - https://www.cve.org/CVERecord?id=CVE-2026-34876\n - https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-ccm-finish-boundary-check/\n\n- CVE-2026-34877:\n An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5,\n Mbed TLS 4.0.0. Insufficient protection of serialized SSL context or\n session structures allows an attacker who can modify the serialized\n structures to induce memory corruption, leading to arbitrary code\n execution. This is caused by Incorrect Use of Privileged APIs.\n\nFor more information, see:\n - https://www.cve.org/CVERecord?id=CVE-2026-34877\n - https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-serialized-data/\n\nSigned-off-by: Thomas Perale \n---\n package/mbedtls/mbedtls.hash | 4 ++--\n package/mbedtls/mbedtls.mk | 2 +-\n 2 files changed, 3 insertions(+), 3 deletions(-)","diff":"diff --git a/package/mbedtls/mbedtls.hash b/package/mbedtls/mbedtls.hash\nindex b86c66af3e..f1be074e08 100644\n--- a/package/mbedtls/mbedtls.hash\n+++ b/package/mbedtls/mbedtls.hash\n@@ -1,4 +1,4 @@\n-# From https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.5:\n-sha256 4a11f1777bb95bf4ad96721cac945a26e04bf19f57d905f241fe77ebeddf46d8 mbedtls-3.6.5.tar.bz2\n+# From https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.6:\n+sha256 8fb65fae8dcae5840f793c0a334860a411f884cc537ea290ce1c52bb64ca007a mbedtls-3.6.6.tar.bz2\n # Locally calculated\n sha256 9b405ef4c89342f5eae1dd828882f931747f71001cfba7d114801039b52ad09b LICENSE\ndiff --git a/package/mbedtls/mbedtls.mk b/package/mbedtls/mbedtls.mk\nindex c1aa9f0850..e8bb0a71b9 100644\n--- a/package/mbedtls/mbedtls.mk\n+++ b/package/mbedtls/mbedtls.mk\n@@ -4,7 +4,7 @@\n #\n ################################################################################\n \n-MBEDTLS_VERSION = 3.6.5\n+MBEDTLS_VERSION = 3.6.6\n MBEDTLS_SITE = https://github.com/Mbed-TLS/mbedtls/releases/download/mbedtls-$(MBEDTLS_VERSION)\n MBEDTLS_SOURCE = mbedtls-$(MBEDTLS_VERSION).tar.bz2\n MBEDTLS_CONF_OPTS = \\\n","prefixes":[]}