Anyone using AWS.Client in Fedora? You need Rawhide.

Liste des GroupesRevenir à cl ada 
Sujet : Anyone using AWS.Client in Fedora? You need Rawhide.
De : Bjorn (at) *nospam* xn--rombobjrn-67a.se (Björn Persson)
Groupes : comp.lang.ada
Date : 06. Dec 2024, 19:45:39
Autres entêtes
Message-ID : <20241206194539.343a138a@tag.xn--rombobjrn-67a.se>
User-Agent : Claws Mail 4.3.0 (GTK 3.24.43; x86_64-redhat-linux-gnu)
Anyone who uses the client-side HTTPS functionality of the Ada Web
Server library needs to know about CVE-2024-37015. HTTPS requests made
with AWS.Client are vulnerable to monster-in-the-middle attacks.

Here's the announcement from Adacore:
https://docs.adacore.com/corp/security-advisories/SEC.AWS-0031-v2.pdf

Although the vulnerability was disclosed in August, version 25.0.0 is
the only public release that includes the fix. It is now finally
available in Fedora, but only in Rawhide, the development version that
will become Fedora 42.

The fix comes with API changes that make it difficult to backport to
older versions. That also means that programs using AWS will probably
need to be adapted to use version 25. Furthermore, AWS 25 needs
Gnatcoll 25, and as usual each new library version has a new soname.
If we would push AWS 25 and Gnatcoll 25 as updates to Fedora 40 and 41,
then any programs using Gnatcoll would stop working when users install
the update, even if they have nothing to do with AWS. That would be bad.

Thus, AWS.Client in Fedora 40 and 41 should not be used except on
isolated networks where everything on the network is fully trusted.
Only in Rawhide is AWS.Client suitable for use on the Internet.

If you run programs in Fedora that use AWS.Client on the Internet, these
are your options:

1: Install Rawhide and follow the development version, accepting the
   instability and the higher maintenance burden, until Fedora 42 is
   released. Adapt your programs to the API changes in AWS 25. Recompile
   more or less all of your own programs. Expect further recompilations
   before the release date, such as when the soname of Libgnat will
   change some time in January.

2: Download the source RPM packages of AWS 25 and Gnatcoll 25 from
   Rawhide, and compile them yourself on Fedora 41. Adapt your programs
   to the API changes, and also recompile anything that uses Gnatcoll.

This situation is not how I wish it were, but there are limits to what
packagers can do when the upstream developers don't make clean bugfix
releases.

Björn Persson


Date Sujet#  Auteur
6 Dec 24 * Anyone using AWS.Client in Fedora? You need Rawhide.4Björn Persson
6 Dec 24 +* Re: Anyone using AWS.Client in Fedora? You need Rawhide.2Niocláiſín Cóilín de Ġloſtéir
6 Dec 24 i`- Re: Anyone using AWS.Client in Fedora? You need Rawhide.1Lawrence D'Oliveiro
6 Dec 24 `- Re: Anyone using AWS.Client in Fedora? You need Rawhide.1Niocláiſín Cóilín de Ġloſtéir

Haut de la page

Les messages affichés proviennent d'usenet.

NewsPortal