Mbed TLS 2.28.9

Description

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.

Security Advisories

For full details, please see the following links:

• CTR_DRBG prioritized over HMAC_DRBG as the PSA DRBG

Release Notes

Security

• Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does
  not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when
  MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
  CVE-2024-45157

Bugfix

• Fix the build in some configurations when check_config.h is not included.
  Fix #9152.
• Fix issue of redefinition warning messages for _GNU_SOURCE in
  entropy_poll.c and sha_256.c. There was a build warning during
  building for linux platform.
  Resolves #9026
• Fix error handling when creating a key in a dynamic secure element
  (feature enabled by MBEDTLS_PSA_CRYPTO_SE_C). In a low memory condition,
  the creation could return PSA_SUCCESS but using or destroying the key
  would not work. Fixes #8537.
• Fix a memory leak that could occur when failing to process an RSA
  key through some PSA functions due to low memory conditions.
• Document and enforce the limitation of mbedtls_psa_register_se_key()
  to persistent keys. Resolves #9253.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Note

❕ mbedtls-2.28.9.tar.bz2 are our official release files. source.tar.gz and source.zip are automatically generated snapshot's that github is generating. They do not include external dependencies, and can't be configured

Checksum

The SHA256 hashes for the archives are:
e85ea97aaf78dd6c0a5ba2e54dd5932ffa15f39abfc189c26beef7684630c02b mbedtls-2.28.9.tar.bz2