49fdb75c7b
This release includes fixes for security issues.
Mbed TLS 3.6 is a long-term support (LTS) branch. It will be supported with bug-fixes and security fixes until at least March 2027.
Security Advisories
For full details, please see the following links:
Race condition in AESNI support detection [1]
Heap buffer under-read when parsing PEM-encrypted material [2]
Unchecked return value in LMS verification allows signature bypass [3]
Out-of-bounds read in mbedtls_lms_import_public_key() [4]
Timing side-channel in block cipher decryption with PKCS#7 padding [5]
NULL pointer dereference after using mbedtls_asn1_store_named_data() [6]
Misleading memory management in mbedtls_x509_string_to_names() [7]
[1] https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-06-1/
[2] https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-06-2/
[3] https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-06-3/
[4] https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-06-4/
[5] https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-06-5/
[6] https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-06-6/
[7] https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-06-7/
Signed-off-by: Antony Kolitsos <zeusomighty@hotmail.com>
Link: https://github.com/openwrt/openwrt/pull/19291
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 2c8a433cd2)
Link: https://github.com/openwrt/openwrt/pull/19324
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>