[Buildroot] [PATCH 1/1] package/tpm2-tools: security bump to version 4.3.2
Peter Korsgaard
peter at korsgaard.com
Mon Jul 12 21:05:10 UTC 2021
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice at gmail.com> writes:
> - Fix CVE-2021-3565: A flaw was found in tpm2-tools in versions before
> 5.1.1 and before 4.3.2. tpm2_import used a fixed AES key for the inner
> wrapper, potentially allowing a MITM attacker to unwrap the inner
> portion and reveal the key being imported. The highest threat from
> this vulnerability is to data confidentiality.
> - LICENSE moved in doc directory since
> https://github.com/tpm2-software/tpm2-tools/commit/23aa5dca660f596b2ad89542d5100bd4ef0c871a
> and hash updated due to the following line added with
> https://github.com/tpm2-software/tpm2-tools/commit/305011b2a7d091740fa01dbfbd27a48a76f670f7
> Copyright 2019 Fraunhofer SIT sponsored by Infineon Technologies AG
> - libuuid and wchar (for mbstate_t) are mandatory since version 4.2 and
> https://github.com/tpm2-software/tpm2-tools/commit/eca77c1419617a8e2d6d8008bac716878b0c27ca
> https://github.com/tpm2-software/tpm2-tools/blob/4.3.2/doc/CHANGELOG.md
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
For 2021.02.x and 2021.05.x I have instead backported the security fix,
thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list