From mboxrd@z Thu Jan 1 00:00:00 1970 Path: eternal-september.org!news.eternal-september.org!feeder3.eternal-september.org!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail From: =?UTF-8?B?QmrDtnJu?= Persson Newsgroups: comp.lang.ada Subject: Anyone using AWS.Client in Fedora? You need Rawhide. Date: Fri, 6 Dec 2024 19:45:39 +0100 Message-ID: <20241206194539.343a138a@tag.xn--rombobjrn-67a.se> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Trace: individual.net lWYdsNA5J91RJLKEX8blqQAPgW0Os4ldvKXdgFso1LK2IbQ4+W Cancel-Lock: sha1:wrhNzxXaQZa2rQ/6Bu93SFYH5vw= sha256:lmHPpLVqt9R88ci5pJl+U0/Kldefr32R5cDPwnuZyFg= X-Newsreader: Claws Mail 4.3.0 (GTK 3.24.43; x86_64-redhat-linux-gnu) Xref: news.eternal-september.org comp.lang.ada:66476 List-Id: Anyone who uses the client-side HTTPS functionality of the Ada Web Server library needs to know about CVE-2024-37015. HTTPS requests made with AWS.Client are vulnerable to monster-in-the-middle attacks. Here's the announcement from Adacore: https://docs.adacore.com/corp/security-advisories/SEC.AWS-0031-v2.pdf Although the vulnerability was disclosed in August, version 25.0.0 is the only public release that includes the fix. It is now finally available in Fedora, but only in Rawhide, the development version that will become Fedora 42. The fix comes with API changes that make it difficult to backport to older versions. That also means that programs using AWS will probably need to be adapted to use version 25. Furthermore, AWS 25 needs Gnatcoll 25, and as usual each new library version has a new soname. If we would push AWS 25 and Gnatcoll 25 as updates to Fedora 40 and 41, then any programs using Gnatcoll would stop working when users install the update, even if they have nothing to do with AWS. That would be bad. Thus, AWS.Client in Fedora 40 and 41 should not be used except on isolated networks where everything on the network is fully trusted. Only in Rawhide is AWS.Client suitable for use on the Internet. If you run programs in Fedora that use AWS.Client on the Internet, these are your options: 1: Install Rawhide and follow the development version, accepting the instability and the higher maintenance burden, until Fedora 42 is released. Adapt your programs to the API changes in AWS 25. Recompile more or less all of your own programs. Expect further recompilations before the release date, such as when the soname of Libgnat will change some time in January. 2: Download the source RPM packages of AWS 25 and Gnatcoll 25 from Rawhide, and compile them yourself on Fedora 41. Adapt your programs to the API changes, and also recompile anything that uses Gnatcoll. This situation is not how I wish it were, but there are limits to what packagers can do when the upstream developers don't make clean bugfix releases. Bj=C3=B6rn Persson