Hi, So I asked upstream about the specific commits which fixed this bug here: https://tls.mbed.org/discussions/bug-report-issues/question-about-cve-2015-5291
They seemed pretty resistive to the idea of just adding specific patches on top of 1.3.9, and if you look at the changelog there are a number of other security bugs which seem important but don't have CVEs because they couldn't be triggered remotely. https://github.com/ARMmbed/mbedtls/blob/mbedtls-1.3.14/ChangeLog One thing which was suggested was to use 1.3.14 and then disable at compile time all the new features which may affect the ABI and then revert the SONAME change, but is doing that actually allowed for the security archive or will the update be too big? (I haven't actually done any of this yet, I'm just checking it'll be OK before I spend my time on it) Thanks, James
signature.asc
Description: This is a digitally signed message part