* James Cowgill: > They seemed pretty resistive to the idea of just adding specific > patches on top of 1.3.9, and if you look at the changelog there are a > number of other security bugs which seem important but don't have CVEs > because they couldn't be triggered remotely. > https://github.com/ARMmbed/mbedtls/blob/mbedtls-1.3.14/ChangeLog
I can sympathesize with that. For example, I strongly recommend the RSA-CRT hardening introduced in 1.3.13. > One thing which was suggested was to use 1.3.14 and then disable at > compile time all the new features which may affect the ABI and then > revert the SONAME change, but is doing that actually allowed for the > security archive or will the update be too big? We can do that, but I don't know if it is a good idea to patch cryptographic software in such extensive ways. We can live with the addition of new symbols, but removal of symbols, changes in struct sizes or offsets, and so on, would be hugely problematic. For are start, you could just build both the old and new versions and run libabigail on them, to get an idea what actually did change. Florian
