Hi Mbed TLS users,
We have released Mbed TLS versions 3.5.2 and 2.28.7.
These releases contain security fixes for: a timing side channel in private key RSA operations; and a buffer overflow in mbedtls_x509_set_extension.
Full details are available in the release notes.
https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-2.28.7https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.5.2
We recommend all users to consider whether they are impacted, and to upgrade appropriately.
Many thanks.
Dave
Hi Mbed TLS users,
We are planning to change the license for Mbed TLS shortly, from Apache 2.0 to a dual license Apache 2.0 / GPLv2-0-or-later license.
This will allow GPL-licensed projects to take Mbed TLS under a GPL license.
Projects which currently take Mbed TLS under an Apache 2.0 license may continue to do so, and therefore should not be affected by this change.
The inbound license, under which we accept contributions, is already a dual-license. There is therefore no impact for contributors, and no impact on PRs that are currently in review, or those that have previously been integrated into the library.
We hope that this will enable more projects to make use of Mbed TLS.
Dave Rodgman
We have released Mbed TLS versions 3.5.0 and 2.8.5.
These releases of Mbed TLS address several security issues, provide bug fixes, and bring other minor changes. Full details are available in the release notes (https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-2.28.5, https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.5.0).
We recommend all users to consider whether they are impacted, and to upgrade appropriately.
Many Thanks.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hi Mbed TLS users,
We are releasing Mbed TLS 3.4.1 and 2.28.4 LTS.
As the point release suggests, this is a small update which primarily addresses some expiring test certificates.
Full details are available via the release notes:
https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.4.1https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.4
We recommend all users to consider whether they are impacted, and to upgrade appropriately.
Thanks,
The Mbed TLS team
Hi Mbed TLS users,
We have released Mbed TLS versions 3.4.0 and 2.28.3
These releases of Mbed TLS address several security issues, provide bug fixes, and bring other minor changes. Full details are available in the release notes.
(https://github.com/ARMmbed/mbedtls/releases/tag/mbedtls-3.4.0, https://github.com/ARMmbed/mbedtls/releases/tag/mbedtls-2.28.3).
We recommend all users to consider whether they are impacted, and to upgrade appropriately.
The Mbed TLS team
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hello,
You are concerned if: you contribute to Mbed TLS, or you maintain local patches to Mbed TLS.
You are not concerned if: you just use Mbed TLS.
We are going to change the C coding style in Mbed TLS. The new style is mostly what you'd find in The C Programming Language, 2nd edition, by Brian Kernighan and Dennis Ritchie (K&R2). The main changes compared to the current style are:
* Spaces outside parentheses, not inside. No space in f(x).
* Opening braces on the same line as if(), for(), etc., but on a separate line for functions.
Indentation remains 4 spaces. The recommended maximum line length remains 80 columns. There are a few deviations from K&R2, documentation will be available shortly.
The new code style will be enforced by the CI testing. This means that style that's rejected by the tool will not be merged, full stop. This also means that sometimes we'll have code that looks a bit less good to humans because the tool insists on it. We're doing this to avoid wasting reviewers' and contributors' time with style violations in code review.
The tool we're using is uncrustify<https://github.com/uncrustify/uncrustify>. You can see how your code will look like by installing uncrustify 0.75.1 and running scripts/code_style.py from mbedtls-3.3.0 or mbedtls-2.28.2. There are previews of the rewritten branches at https://github.com/Mbed-TLS/mbedtls/tree/features/new-code-style/development and https://github.com/Mbed-TLS/mbedtls/tree/features/new-code-style/mbedtls-2.… (updated every few days until the real branches are rewritten). If you're now starting work on a new feature or bugfix, it will probably be easier to start from those branches, and do an easy rebase once they become official.
If you've been working on a branch, we will provide a script to rebase the branch and rewrite it to the new style commit by commit. You'll need to have uncrustify 0.75.1.
Concretely, when we change the code style:
* If you've started to work on a branch but review has not started yet, we'll ask you to adapt your branch to the new code style.
* If your work is under review, you'll need to adapt your branch to the new code style before it can be merged. Rebasing a branch is disruptive for reviews, so please synchronize with the reviewers to decide on a good time.
We plan to do the switch during the first week of January 2023.
Best regards,
--
Gilles Peskine
Mbed TLS developer
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hi Mbed TLS users,
We are pleased to announce the release of Mbed TLS versions 3.3.0 and 2.28.2.
These releases of Mbed TLS address several security issues, provide bug fixes, and bring other minor changes. Full details are available in the release notes (https://github.com/ARMmbed/mbedtls/releases/tag/mbedtls-3.3.0 and https://github.com/ARMmbed/mbedtls/releases/tag/mbedtls-2.28.2 ).
We recommend all users to consider whether they are impacted, and to upgrade appropriately.
The releases are available from
https://github.com/Mbed-TLS/mbedtls/releases
Dave Rodgman
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hi Mbed TLS users,
We have released Mbed TLS version 3.2.1.
This release is functionally identical to 3.2.0, but includes a file that was missing from the 3.2.0 release (see https://github.com/Mbed-TLS/mbedtls/issues/6084).
Full details are available in the release notes (https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.2.1).
We recommend all users to consider whether they are impacted, and to upgrade appropriately.
Many thanks,
Mbed TLS Team.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hi Mbed TLS users,
We have released Mbed TLS versions 3.2.0 and 2.28.1.
These releases of Mbed TLS address several security issues, provide bug fixes, and for 3.2.0, add various features. Full details are available in the release notes (https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.2.0, https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.1).
We recommend all users to consider whether they are impacted, and to upgrade appropriately.
Dave Rodgman
