Update mbedtls to final 2.x release #42311
Conversation
|
There seems to be a bunch of irrelevant commits on this branch. Perhaps rebasing on master would get rid of them. |
jeremiahpslewis
force-pushed
the
jeremiahpslewis/mbedtls
branch
from
79d13e3
to
6f6d518
Compare
Yep, thanks for the nudge. Fixed. |
There was a problem hiding this comment.
Looks like you need to submit a PR to build binaries for this (https://github.com/JuliaPackaging/Yggdrasil/tree/master/M/MbedTLS)
Then run make -f ./contrib/refresh_checksums.mk mbedtls in your Julia tree.
vtjnash
added
backport 1.6
|
Yggdrasil is done. JuliaRegistries/General#46907 |
|
I reran the hash update script, but there were no changes, think I already had this covered in an earlier commit (the second commit in the PR). @vtjnash Think both points raised are ✅ |
vtjnash
force-pushed
the
jeremiahpslewis/mbedtls
branch
from
e6ab8a6
to
223ebd5
Compare
vtjnash
added
the
status:merge me
|
Nice, thanks! Didn't notice the issue with the makefile, good catch. |
|
Apparently issues with mbedcrypto, needing updating simultaneously? |
DilumAluthge
removed
the
status:merge me
|
Removing the |
|
Mbedcrypto is provided as part of mbedtls, so I don't think that is the issue, I suspect there's a problem with libgit2 linking to mbedtls/mbedcrypto binaries, but can't place the error more specifically. |
|
FYI, 2.27 has fixes for two high-severity security advisories: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-1, https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-2 I don't know if these vulnerabilities are exposed through Julia. |
|
The issue is that we have Mbed TLS pinned to version 2.24 in three places in BinaryBuilder Updating Mbed TLS to 2.27 changes the SO number from 5 to 7. That's why Compiling julia with this patch merged onto master and Also there is now Mbed TLS 2.28 due CVE-2021-44732 |
|
@jeremiahpslewis Would you be interested in updating this PR to Mbed TLS 2.28 ? |
jeremiahpslewis
force-pushed
the
jeremiahpslewis/mbedtls
branch
from
223ebd5
to
db5fabf
Compare
Sure, superficially it's done. But until there's a 2.28.0 version available on Yggdrasil, I can't bump the _jll dependency. |
|
Just saw JuliaPackaging/Yggdrasil#4179 was merged. Now updated. |
|
One note...given that |
|
Just a reminder that this will not work until we also update LibGit2 and Libssh2, and pin them on Mbed TLS 2.28 intead of 2.24 due to ABI changes in Mbed TLS. https://github.com/JuliaPackaging/Yggdrasil/blob/90c82e2bb9c64f80893a8a25f5d2111400c7c333/L/LibGit2/build_tarballs.jl#L62 I think it's possible to update LibGit2 now since there is a new version available. There is not a new version of Libssh2 as far as I know. |
|
@mkitti Ok. Is it worth doing the fake version bump trick for Libssh2? |
|
That's above my paygrade. Given that we likely have some time before everything is in place, we probably should just wait to see if Libssh2 releases anything. Another possibility is moving to Libssh instead of Libssh2, but that will require some action upstream: |
|
@jeremiahpslewis has an issue open on libssh2 and it seems that a 1.11 release is coming soon: libssh2/libssh2#657 |
|
I think we can close this one, since the other one (#43250) was merged and addresses the security issues (and there are no changes in the diff here). |
KristofferC
removed
backport 1.6
Potential security issues are present in earlier versions...
Link: https://tls.mbed.org/security
See here as well: JuliaPackaging/Yggdrasil#4179