Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unpin Mbed TLS from version 2.24 #4180

Closed

Conversation

mkitti
Copy link
Contributor

@mkitti mkitti commented Jan 6, 2022

Currently Mbed TLS is pinned to 2.24, including in some julia dependencies:

  1. LibSSH2
  2. LibGit2
  3. Curl

This creates an issue when trying to update Mbed TLS in Julia: JuliaLang/julia#42311

We need to remove the pin, which should be possible with Julia 1.6.

This should allow Mbed TLS to be upgraded to 2.27 or 2.28 in response to security advisories.

Note that GDAL and NetCDF use a configure function that I'm not familiar with. Perhaps these need a Julia 1.6 compat declaration.

@mkitti mkitti force-pushed the mk/unpin_MbedTLS_from_2.24 branch from cd64306 to a6f91df Compare January 6, 2022 08:26
Copy link
Member

@giordano giordano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure what's your point, but mbedtls regularly breaks ABI, fixing the compat bounds is necessary

@giordano
Copy link
Member

giordano commented Jan 6, 2022

And mbedtls 2.28 in #4179 broke again the ABI, libmbedtls has soversion 14, 2.27 had 13

@giordano giordano closed this Jan 6, 2022
@nalimilan
Copy link
Member

Why do they keep breaking the API so often?! They versioning scheme seems... original. :-/

@mkitti
Copy link
Contributor Author

mkitti commented Jan 7, 2022

@nalimilan , apparently they did not like the order of the fields:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.28.0

Some fields of mbedtls_ssl_session and mbedtls_ssl_config are in a
different order. This only affects applications that define such
structures directly or serialize them.

@jeremiahpslewis
Copy link
Contributor

@mkitti @nalimilan Anyone have a rough guess as to how hard it will be to go to v3.1? Kind of wonder whether 2.28 is a porous fix, given that they promise "Removal of many insecure or obsolete features". On the other hand, v3.0 was affected by the same CVEs as 2.2x

@mkitti
Copy link
Contributor Author

mkitti commented Jan 7, 2022

In conda-forge, we currently have Julia 1.7.1 that was built with Mbed TLS 3.1, so it builds:

julia                     1.7.1                h989b2f6_1    conda-forge
mbedtls                   3.1.0                h9c3ff4c_0    conda-forge

There is likely an issue with a good portion of Yggdrasil based on the reverse depends. It's possible though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants