mbedtls: upgrade to 2.28.2 to fix CVE-2022-46392, CVE-2022-46393

An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0.
An adversary with access to precise enough information about memory
accesses (typically, an untrusted operating system attacking a secure
enclave) can recover an RSA private key after observing the victim
performing a single private-key operation, if the window size
(MBEDTLS_MPI_WINDOW_SIZE) used for the exponentiation is 3 or smaller.

An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0.
There is a potential heap-based buffer overflow and heap-based buffer
over-read in DTLS if MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-46392
https://nvd.nist.gov/vuln/detail/CVE-2022-46393

Upstream patches:
https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2

Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>

1 files changed, 1 insertions, 1 deletions

diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.1.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.2.bb
index b178f5785b..3c52fe13b0 100644
--- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.1.bb
+++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.2.bb
@@ -23,7 +23,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
 SECTION = "libs"
 
 S = "${WORKDIR}/git"
-SRCREV = "dd79db10014d85b26d11fe57218431f2e5ede6f2"
+SRCREV = "89f040a5c938985c5f30728baed21e49d0846a53"
 SRC_URI = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=mbedtls-2.28"
 
 inherit cmake