Document Mbed TLS side channel attack on deterministic ECDSA.

Security:	https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-10

security/vuxml/vuln.xml

@@ -58,6 +58,42 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="1c948fd3-dac0-11e9-81b2-0011d823eebd">
+    <topic>Mbed TLS -- Side channel attack on deterministic ECDSA</topic>
+    <affects>
+      <package>
+	<name>mbedtls</name>
+	<range><lt>2.16.3</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Janos Follath reports:</p>
+	<blockquote cite="https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-10">
+	  <p>Mbed TLS does not have a constant-time/constant-trace arithmetic
+	    library and uses blinding to protect against side channel
+	    attacks.</p>
+	  <p>In the ECDSA signature routine previous Mbed TLS versions used the
+	    same RNG object for generating the ephemeral key pair and for
+	    generating the blinding values. The deterministic ECDSA function
+	    reused this by passing the RNG object created from the private key
+	    and the message to be signed as prescribed by RFC 6979. This meant
+	    that the same RNG object was used whenever the same message was
+	    signed, rendering the blinding ineffective.</p>
+	  <p>If the victim can be tricked to sign the same message repeatedly,
+	    the private key may be recoverable through side channels.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-10</url>
+    </references>
+    <dates>
+      <discovery>2019-09-06</discovery>
+      <entry>2019-09-19</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="55571619-454e-4769-b1e5-28354659e152">
     <topic>bro -- invalid memory access or heap buffer over-read</topic>
     <affects>