An issue was discovered in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2. There was a timing side channel in RSA private operations. This side channel could be sufficient for a local attacker to recover the plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario.
{ "binaries": [ { "binary_name": "libmbedcrypto0", "binary_version": "2.2.1-2ubuntu0.3" }, { "binary_name": "libmbedtls-dev", "binary_version": "2.2.1-2ubuntu0.3" }, { "binary_name": "libmbedtls10", "binary_version": "2.2.1-2ubuntu0.3" }, { "binary_name": "libmbedx509-0", "binary_version": "2.2.1-2ubuntu0.3" } ] }
{ "binaries": [ { "binary_name": "libmbedcrypto3", "binary_version": "2.16.4-1ubuntu2" }, { "binary_name": "libmbedtls-dev", "binary_version": "2.16.4-1ubuntu2" }, { "binary_name": "libmbedtls12", "binary_version": "2.16.4-1ubuntu2" }, { "binary_name": "libmbedx509-0", "binary_version": "2.16.4-1ubuntu2" } ] }
{ "binaries": [ { "binary_name": "libmbedcrypto7", "binary_version": "2.28.0-1build1" }, { "binary_name": "libmbedtls-dev", "binary_version": "2.28.0-1build1" }, { "binary_name": "libmbedtls14", "binary_version": "2.28.0-1build1" }, { "binary_name": "libmbedx509-1", "binary_version": "2.28.0-1build1" } ] }
{ "binaries": [ { "binary_name": "libmbedcrypto7t64", "binary_version": "2.28.8-1" }, { "binary_name": "libmbedtls-dev", "binary_version": "2.28.8-1" }, { "binary_name": "libmbedtls14t64", "binary_version": "2.28.8-1" }, { "binary_name": "libmbedx509-1t64", "binary_version": "2.28.8-1" } ] }