[edk2-devel] Reg: OpenSSL_3.5.0 & MbedTls_3.6.3 upgrade

[edk2-devel] Reg: OpenSSL_3.5.0 & MbedTls_3.6.3 upgrade

[Prarthana Sagar V via groups.io]

[-- Attachment #1: Type: text/plain, Size: 1133 bytes --]

Hello,

We would like to know EDK2's plan on updating Openssl version to 3.5.0 (As Openssl_3.4.x series will have its EOL by OCT,2026 ) and  MbedTls version to 3.6.3 (As it includes some CVE vulnerability fixes).

Thanks
Prarthana

-The information contained in this message may be confidential and proprietary to American Megatrends (AMI). This communication is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. Please promptly notify the sender by reply e-mail or by telephone at 770-246-8600, and then delete or destroy all copies of the transmission.


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#121332): https://edk2.groups.io/g/devel/message/121332
Mute This Topic: https://groups.io/mt/113066244/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



[-- Attachment #2: Type: text/html, Size: 3074 bytes --]

Re: [edk2-devel] Reg: OpenSSL_3.5.0 & MbedTls_3.6.3 upgrade

[Gerd Hoffmann via groups.io]

On Sun, May 11, 2025 at 11:36:39PM -0700, Prarthana Sagar V via groups.io wrote:
> Hello,
> 
> We would like to know EDK2's plan on updating Openssl version to 3.5.0 (As Openssl_3.4.x series will have its EOL by OCT,2026 )

For openssl-3.5.x I have a draft PR:
https://github.com/tianocore/edk2/pull/10946

edk2 does not build with 3.5.0, I got fixes merged in openssl, now
waiting for the 3.5.1 release (with the fixes included) for the actual
upgrade.

3.5 is a LTS release, openssl plans to do a LTS release every two years
going forward (see https://openssl-library.org/roadmap/index.html), so I
expect from now on we'll go jump from one LTS release to the next.

take care,
  Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#121334): https://edk2.groups.io/g/devel/message/121334
Mute This Topic: https://groups.io/mt/113066244/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] Reg: OpenSSL_3.5.0 & MbedTls_3.6.3 upgrade

[Ard Biesheuvel via groups.io]

On Mon, 12 May 2025 at 10:45, Gerd Hoffmann via groups.io
<kraxel=redhat.com@groups.io> wrote:
>
> On Sun, May 11, 2025 at 11:36:39PM -0700, Prarthana Sagar V via groups.io wrote:
> > Hello,
> >
> > We would like to know EDK2's plan on updating Openssl version to 3.5.0 (As Openssl_3.4.x series will have its EOL by OCT,2026 )
>
> For openssl-3.5.x I have a draft PR:
> https://github.com/tianocore/edk2/pull/10946
>
> edk2 does not build with 3.5.0, I got fixes merged in openssl, now
> waiting for the 3.5.1 release (with the fixes included) for the actual
> upgrade.
>
> 3.5 is a LTS release, openssl plans to do a LTS release every two years
> going forward (see https://openssl-library.org/roadmap/index.html), so I
> expect from now on we'll go jump from one LTS release to the next.
>

Thanks for taking care of that.

When I looked into MbedTLS a couple of months ago, it looked like
upgrading was going to be difficult because upstream removed some
pieces (or made them internal to the library) that we rely on in the
integration. So that will need a substantial effort and alignment with
upstream.


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#121335): https://edk2.groups.io/g/devel/message/121335
Mute This Topic: https://groups.io/mt/113066244/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] Reg: OpenSSL_3.5.0 & MbedTls_3.6.3 upgrade

[Prarthana Sagar V via groups.io]

[-- Attachment #1: Type: text/plain, Size: 5186 bytes --]

May we know how do EDK2 plans to fix the below CVEs in MbedTLS, if it's difficult to update to next version?

mbed TLS-3.3.0 CVE ID Affected Status Notes Document Link CVE-2024-45159 affected Consumes the affected version. Affected versions are Mbed TLS 3.2.0 to 3.6.0 Limited authentication bypass in TLS 1.3 optional client authentication ( https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-08-3/ ) CVE-2024-45199 Not sure it getting affected or not There is no sufficient details for affected and not affected details. CVE-2022-46393 Not affected An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. CVE-2021-44732 Affected All versions of Mbed TLS getting affected Double Free in mbedtls_ssl_set_session() in an error case. — Mbed TLS documentation ( https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2021-12/ ) CVE-2019-14697 Not sure it getting affected or not There is no sufficient details for affected and not affected details. CVE-2022-35409 Not affected Not consume the affected version. Affected versions are Mbed TLS 2.28.0 to 3.1.0 Buffer overread in DTLS ClientHello parsing — Mbed TLS documentation ( https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2022-07/ ) CVE-2024-23744 Not sure it getting affected or not ( *As of my understanding this CVE is not affected* ) In Nist website, they mentioned issue was discovered in Mbed TLS 3.5.1. https://github.com/Mbed-TLS/mbedtls/issues/8694 ( https://github.com/Mbed-TLS/mbedtls/issues/8694 ) CVE-2024-23775 affected Consumes the affected version. Affected versions are Mbed TLS 2.28.6 to 3.5.1 Buffer overflow in mbedtls_x509_set_extension() ( https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-2/ ) CVE-2023-43615 affected All versions of Mbed TLS getting affected Buffer overread in TLS stream cipher suites — Mbed TLS documentation ( https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2023-10-1/ ) CVE-2023-52353 yes affected Already fixed in CryptoPkg_57 CVE-2021-43666 Not sure it getting affected or not This CVE is exits in 3.0.0. not sure about it affects 3.3.0 version also https://github.com/Mbed-TLS/mbedtls/pull/5155/files ( https://github.com/Mbed-TLS/mbedtls/pull/5155/files ) CVE-2018-9989 Not sure it getting affected or not In Nist website, they mentioned like issue is in before 2.8.0 Mbed TLS version https://nvd.nist.gov/vuln/detail/CVE-2018-9989 ( https://nvd.nist.gov/vuln/detail/CVE-2018-9989 ) CVE-2021-45451 Not sure it getting affected or not In Nist website, they mentioned like issue is in before 3.1.0 Mbed TLS version CVE-2020-36478 Not sure it getting affected or not But they provided the patch based on the Mbed TLS Version 2.25.0. But our Mbed TLS version is 3.3.0 Add tag check to cert algorithm check · Mbed-TLS/mbedtls@ca17ebf ( https://github.com/Mbed-TLS/mbedtls/commit/ca17ebfbc02b57e2bcb42efe64a5f2002c756ea8 ) CVE-2018-9988 Not sure it getting affected or not But they provided the patch based on the Mbed TLS Version 2.8.0. But our Mbed TLS version is 3.3.0 https://nvd.nist.gov/vuln/detail/CVE-2018-9988 ( https://nvd.nist.gov/vuln/detail/CVE-2018-9988 ) CVE-2020-36476 Not sure it getting affected or not There is no sufficient details for affected and not affected details. CVE-2021-45450 Not sure it getting affected or not There is no sufficient details for affected and not affected details. CVE-2020-36475 Not sure it getting affected or not There is no sufficient details for affected and not affected details. CVE-2018-0497 affected All versions of Mbed TLS from version 1.2 upwards, including
all 2.1, 2.7 and later releases Mbed TLS Security Advisory 2018-02 ( https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2018-02/ ) CVE-2020-36477 Not affected Based on the NIST website information, affected version is 2.24.0. CVE-2020-10941 Not sure it getting affected or not There is no sufficient details for affected and not affected details. CVE-2024-23170 affected Consumes the affected version. Affected versions are Mbed TLS 2.28.6 to 3.5.1 Timing side channel in private key RSA operations. — Mbed TLS documentation ( https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/ ) CVE-2020-16150 affected All versions of Mbed TLS getting affected Local side channel attack on classical CBC decryption in (D)TLS ( https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2020-09-1/ ) CVE-2020-28928 Not affected because, we don’t have docker files https://github.com/apache/apisix-docker/pull/166/files ( https://github.com/apache/apisix-docker/pull/166/files )


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#121360): https://edk2.groups.io/g/devel/message/121360
Mute This Topic: https://groups.io/mt/113066244/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



[-- Attachment #2: Type: text/html, Size: 16084 bytes --]

Re: [edk2-devel] Reg: OpenSSL_3.5.0 & MbedTls_3.6.3 upgrade

[Prarthana Sagar V via groups.io]

[-- Attachment #1: Type: text/plain, Size: 443 bytes --]

Do we have any updates for the MbedTls CVE patch fixes or upgrade to 3.6.0?


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#121383): https://edk2.groups.io/g/devel/message/121383
Mute This Topic: https://groups.io/mt/113066244/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



[-- Attachment #2: Type: text/html, Size: 868 bytes --]