-
-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update mbedtls to final 2.x release #42311
Update mbedtls to final 2.x release #42311
Conversation
There seems to be a bunch of irrelevant commits on this branch. Perhaps rebasing on master would get rid of them. |
79d13e3
to
6f6d518
Compare
Yep, thanks for the nudge. Fixed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like you need to submit a PR to build binaries for this (https://github.com/JuliaPackaging/Yggdrasil/tree/master/M/MbedTLS)
Then run make -f ./contrib/refresh_checksums.mk mbedtls
in your Julia tree.
Yggdrasil is done. JuliaRegistries/General#46907 |
I reran the hash update script, but there were no changes, think I already had this covered in an earlier commit (the second commit in the PR). @vtjnash Think both points raised are ✅ |
e6ab8a6
to
223ebd5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I updated the stdlib version number and reran the script to download the Yggdrasil files. All version numbers now look consistent to me.
Nice, thanks! Didn't notice the issue with the makefile, good catch. |
Apparently issues with mbedcrypto, needing updating simultaneously? |
Removing the |
Mbedcrypto is provided as part of mbedtls, so I don't think that is the issue, I suspect there's a problem with libgit2 linking to mbedtls/mbedcrypto binaries, but can't place the error more specifically. |
FYI, 2.27 has fixes for two high-severity security advisories: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-1, https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-2 I don't know if these vulnerabilities are exposed through Julia. |
The issue is that we have Mbed TLS pinned to version 2.24 in three places in BinaryBuilder Updating Mbed TLS to 2.27 changes the SO number from 5 to 7. That's why Compiling julia with this patch merged onto master and Also there is now Mbed TLS 2.28 due CVE-2021-44732 |
@jeremiahpslewis Would you be interested in updating this PR to Mbed TLS 2.28 ? |
223ebd5
to
db5fabf
Compare
Sure, superficially it's done. But until there's a 2.28.0 version available on Yggdrasil, I can't bump the _jll dependency. |
Just saw JuliaPackaging/Yggdrasil#4179 was merged. Now updated. |
One note...given that |
Just a reminder that this will not work until we also update LibGit2 and Libssh2, and pin them on Mbed TLS 2.28 intead of 2.24 due to ABI changes in Mbed TLS. https://github.com/JuliaPackaging/Yggdrasil/blob/90c82e2bb9c64f80893a8a25f5d2111400c7c333/L/LibGit2/build_tarballs.jl#L62 I think it's possible to update LibGit2 now since there is a new version available. There is not a new version of Libssh2 as far as I know. |
@mkitti Ok. Is it worth doing the fake version bump trick for Libssh2? |
That's above my paygrade. Given that we likely have some time before everything is in place, we probably should just wait to see if Libssh2 releases anything. Another possibility is moving to Libssh instead of Libssh2, but that will require some action upstream: |
@jeremiahpslewis has an issue open on libssh2 and it seems that a 1.11 release is coming soon: libssh2/libssh2#657 |
I think we can close this one, since the other one (#43250) was merged and addresses the security issues (and there are no changes in the diff here). |
Potential security issues are present in earlier versions...
Link: https://tls.mbed.org/security
See here as well: JuliaPackaging/Yggdrasil#4179