Skip to content

[automatic] Publish 35 advisories for MbedTLS_jll #202

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[automatic] Publish 35 advisories for MbedTLS_jll #202

wants to merge 3 commits into from

Conversation

@jlsec-bot
Copy link
Contributor

This action searched --project=mbedtls, checking 59 (+0) advisories from NVD and 1 (+8) from EUVD for advisories that pertain here. It identified 35 advisories as being related to the Julia package(s): MbedTLS_jll.

7 advisories apply to all registered versions of a package

These advisories had no obvious failures but computed a range without bounds.

  • CVE-2021-43666 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["*"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
      • arm:mbed_tls at <= 3.0.0 includes all versions
  • CVE-2021-45451 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["*"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
      • arm:mbed_tls at < 3.1.0 includes all versions
  • CVE-2023-52353 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["*"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
      • arm:mbed_tls at < 3.5.2 includes all versions
  • CVE-2025-47917 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["*"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
      • arm:mbed_tls at < 3.6.4 includes all versions
  • CVE-2025-48965 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["*"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
      • arm:mbed_tls at < 3.6.4 includes all versions
  • CVE-2025-52496 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["*"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
      • arm:mbed_tls at < 3.6.4 includes all versions
  • CVE-2025-52497 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["*"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
      • arm:mbed_tls at < 3.6.4 includes all versions

1 advisories apply to the latest version of a package and do not have a patch

  • CVE-2021-36647 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.27.0+0", ">= 2.28.0+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
      • arm:mbed_tls at >= 2.28.0, < 3.0.0 mapped to [>= 2.28.0+0], includes the latest version`

27 advisories found concrete vulnerable ranges

  • CVE-2019-16910 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.16.6+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
  • CVE-2019-18222 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.16.6+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
  • CVE-2020-10932 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.16.6+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
  • CVE-2020-10941 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.16.6+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
  • CVE-2020-16150 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.16.8+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
  • CVE-2020-36421 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.16.8+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
  • CVE-2020-36422 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.16.8+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
  • CVE-2020-36423 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.16.8+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
  • CVE-2020-36424 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.16.8+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
  • CVE-2020-36425 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.16.8+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
  • CVE-2020-36426 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.16.8+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
  • CVE-2020-36475 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.25.0+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
  • CVE-2020-36476 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.16.8+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
  • CVE-2020-36477 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.24.0+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
  • CVE-2020-36478 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.25.0+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
  • CVE-2021-24119 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.26.0+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
  • CVE-2021-44732 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.28.0+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
  • CVE-2021-45450 for packages: MbedTLS_jll
    • MbedTLS_jll computed [">= 2.24.0+0, < 2.28.0+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
  • CVE-2022-35409 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.28.2+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
  • CVE-2022-46392 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.28.2+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
  • CVE-2022-46393 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.28.2+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
  • CVE-2023-43615 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.28.6+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
  • CVE-2024-23170 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.28.10+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
  • CVE-2024-23775 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.28.10+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
  • CVE-2024-28960 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.28.10+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
  • CVE-2024-45157 for packages: MbedTLS_jll
    • MbedTLS_jll computed [">= 2.26.0+0, < 2.28.10+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}
  • CVE-2025-27809 for packages: MbedTLS_jll
    • MbedTLS_jll computed ["< 2.28.10+0"]. Its latest version (2.28.10+0) has components: {mbedtls = "2.28.10"}

@mbauman
Copy link
Member

mbauman commented Oct 23, 2025

GeneralMetadata has the following mbedtls versions:

[MbedTLS_jll]
"2.16.0+0" = {mbedtls = "2.16.0"}
"2.16.0+1" = {mbedtls = "2.16.0"}
"2.16.0+2" = {mbedtls = "2.16.0"}
"2.16.6+0" = {mbedtls = "2.16.6"}
"2.16.6+1" = {mbedtls = "2.16.6"}
"2.16.8+0" = {mbedtls = "2.16.8"}
"2.16.8+1" = {mbedtls = "2.16.8"}
"2.24.0+0" = {mbedtls = "2.24.0"}
"2.24.0+1" = {mbedtls = "2.24.0"}
"2.24.0+2" = {mbedtls = "2.24.0"}
"2.24.0+3" = {mbedtls = "2.24.0"}
"2.24.0+4" = {mbedtls = "2.24.0"}
"2.24.0+5" = {mbedtls = "2.24.0"}
"2.25.0+0" = {mbedtls = "2.25.0"}
"2.25.0+1" = {mbedtls = "2.25.0"}
"2.25.0+2" = {mbedtls = "2.25.0"}
"2.25.0+3" = {mbedtls = "2.25.0"}
"2.26.0+0" = {mbedtls = "2.26.0"}
"2.26.0+1" = {mbedtls = "2.26.0"}
"2.26.0+2" = {mbedtls = "2.26.0"}
"2.27.0+0" = {mbedtls = "2.27.0"}
"2.27.0+1" = {mbedtls = "2.27.0"}
"2.28.0+0" = {mbedtls = "2.28.0"}
"2.28.0+1" = {mbedtls = "2.28.0"}
"2.28.0+2" = {mbedtls = "2.28.0"}
"2.28.2+0" = {mbedtls = "2.28.2"}
"2.28.2+1" = {mbedtls = "2.28.2"}
"2.28.2+2" = {mbedtls = "2.28.2"}
"2.28.6+0" = {mbedtls = "2.28.6"}
"2.28.6+1" = {mbedtls = "2.28.6"}
"2.28.6+2" = {mbedtls = "2.28.6"}
"2.28.10+0" = {mbedtls = "2.28.10"}

mbauman
mbauman requested changes Oct 23, 2025
View reviewed changes
@mbauman
Update ranges based on mbedtls' reports and debian
eb823b8
@mbauman
Remove CVE-2023-52353
b5de038 
as per Debian security team, this only applies if TLS 1.3 is enabled (it's not enabled)
@mbauman
Copy link
Member

mbauman commented Oct 23, 2025
edited
Loading

This PR suggests 8 active advisories against the mbedtls JLL. Four are now corrected with my changes:

Four, however, look to be outstanding. Using their reports as those seem to have the best information here. Debian is carrying patches for 2.16 (but not 2.28). I've not found any distro that is doing such (checking Repology for other bundlers of the 2.28 line).

And while I'm looking at the mbedtls page, I can see there are a few other vulns that NVD/EUVD haven't enriched yet that affect the 2.x line:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mbauman mbauman mbauman requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jlsec-bot @mbauman