Skip to content

allow http-client-tls-0.4, crypton-x509*-1.9, tls-2.2+, jose-1.3#8050

Merged
juhp merged 2 commits into
masterfrom
tls-2.2-crypton-1.1
Jun 29, 2026
Merged

allow http-client-tls-0.4, crypton-x509*-1.9, tls-2.2+, jose-1.3#8050
juhp merged 2 commits into
masterfrom
tls-2.2-crypton-1.1

Conversation

@juhp

@juhp juhp commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown
Member

Closes: #7929 #7966 #8033

Addresses https://haskell.github.io/security-advisories/advisory/HSEC-2026-0008.html (crypton-x509-validation, crypton-x509)

@ysangkok

ysangkok commented Jun 20, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

@juhp You should not need to disable dhall, as it has a flag use-http-client-tls that we could disable.

BTW I have fixed servant and smtp-mail

@jappeace

jappeace commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

mysql-haskell has a flag too which is enabled by default.

@woffs

woffs commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

just released amqp-utils-0.6.8.0 to manage this

@juhp juhp force-pushed the tls-2.2-crypton-1.1 branch from c2461c8 to 84163f0 Compare June 25, 2026 14:37
@juhp

juhp commented Jun 25, 2026
edited
Loading

Copy link
Copy Markdown
Member Author

I updated the PR; although it sounds like Kazu doesn't feel the HSEC issue is really exploitable: so not very serious perhaps? Though I suppose for Stackage LTS users in an enterprise setting there may be compliance requirements, etc.

One can see the full list of packages that will be disable in the changes.
I did open upstream issues for all the remaining top level packages today that didn't have them.

@juhp juhp marked this pull request as ready for review June 25, 2026 14:40
@juhp juhp changed the title allow http-client-tls-0.4, crypton-x509*-1.9, tls-2.2, jose-1.3 allow http-client-tls-0.4, crypton-x509*-1.9, tls-2.2+, jose-1.3 Jun 25, 2026
@wraithm wraithm mentioned this pull request Jun 25, 2026
Merged
@ysangkok ysangkok mentioned this pull request Jun 25, 2026
Open
13 tasks
@juhp juhp force-pushed the tls-2.2-crypton-1.1 branch from 84163f0 to 4487141 Compare June 27, 2026 08:34
@juhp

juhp commented Jun 27, 2026
edited
Loading

Copy link
Copy Markdown
Member Author

I am thinking to merge this soon probably - hopefully hoauth2 gets fixed soon (there is a PR or 3 now;)

@juhp juhp force-pushed the tls-2.2-crypton-1.1 branch from 4487141 to 864eb07 Compare June 29, 2026 09:03
@juhp

juhp commented Jun 29, 2026
edited
Loading

Copy link
Copy Markdown
Member Author

Alright I am going to merge this shortly: hackage is flaking out in CI

(bit tedious to keep it updated with master)

@juhp juhp merged commit fab0519 into master Jun 29, 2026
0 of 2 checks passed
@juhp juhp deleted the tls-2.2-crypton-1.1 branch June 29, 2026 09:17
This was referenced Jun 29, 2026
Closed
Closed
Open
@juhp

juhp commented Jun 29, 2026
edited
Loading

Copy link
Copy Markdown
Member Author

Okay it built now, though quite a bit of additional collateral alas: 18f59db...57a2734

or overall including here: 487d99f...57a2734

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mihaimaruseac mihaimaruseac mihaimaruseac approved these changes
+1 more reviewer
@jappeace jappeace jappeace approved these changes
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

crypton-1.1 & tls-2.4

5 participants

@juhp @ysangkok @jappeace @woffs @mihaimaruseac