package/mbedtls: security bump to version 2.8.10
Fixes the following security issues:
- CVE-2025-27809: Note that TLS clients should generally call
mbedtls_ssl_set_hostname() if they use certificate authentication (i.e.
not pre-shared keys). Otherwise, in many scenarios, the server could be
impersonated. The library will now prevent the handshake and return
MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME if
mbedtls_ssl_set_hostname() has not been called.
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1/
- CVE-2025-27810: Zeroize temporary heap buffers used in PSA operations.
Fix a vulnerability in the TLS 1.2 handshake. If memory allocation
failed or there was a cryptographic hardware failure when calculating the
Finished message, it could be calculated incorrectly. This would break
the security guarantees of the TLS handshake.
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-2/
For more details, see the release notes:
https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-2.28.10
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 91bfce113e895fc9637707e73567e5d13da3f169)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Peter Korsgaard