Security fix for mbedTLS #21050
Security fix for mbedTLS #21050
Conversation
[skip ci] Not tested; not sure if this is sufficient to fix (and note README already has outdated >=2.2). See: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-01
|
Please don't skip CI on every single one (or any) of your PRs. |
|
Ref #19135 for how to do this properly, last time we tried upgrading something was segfaulting. I have a really hard time reading that security advisory page to tell whether or not 2.3.0 is okay on those vulnerabilities. |
|
Yes, it's unclear that upgrade from 2.3 to 2.4.2 is needed; it seemed to me on first reading of the (brand new) advisory so I wanted to be on the safe side and report. Even if the CVEs patched is for code made after: I'm not sure that part of mbedTLS is used. @yuyichao "Please don't skip CI", good advice.. Someone adviced it to me (I was mostly fixing docs). |
|
@yuyichao yes, I know happened ones before, and I hopefully will now break the habit, sorry! Unclear if you want me to change this PR, as I'm not sure I can (or need to, maybe this PR can be closed, and I'm not sure either that I can do). I've done [skip ci] (almost) always until now, as it has been ok, so sorry again about the habit. |
Not tested; not sure if this is sufficient to fix (and note README already has outdated >=2.2). See:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-01