FYI: Security update: 2.14.0 (and 2.14.1); even better update to 2.16.0 LTS

[PallHaraldsson]

Hi, this is more of a FYI, as it seems more needs to change, and I'm stuck, I'm not sure where those keys are (and more is unclear).

https://tls.mbed.org/tech-updates/releases/mbedtls-2.14.0-2.7.7-and-2.1.16-released

I figured out SHA-256 keys used, i.e. at https://tls.mbed.org/tech-updates/releases/mbedtls-2.14.0-2.7.7-and-2.1.16-released

but not here: https://tls.mbed.org/download-archive

Do you know if Julia itself uses this package from now on? As, it's unclear to me it does, and seems to use 2.6 that's no longer supported(?)

The only good thing about using that old (or little newer) seems to be if you want to support also Windows XP (against Julia supported platforms policy):

https://tls.mbed.org/tech-updates/blog/retiring-legacy-windows-support

The support in our LTS (Long Term Support) branches, versions 2.7 and 2.1 will remain the same, which will have the side effect that they do not fully support more modern versions of Microsoft Windows.

[PallHaraldsson]

There's now even newer (2.14.1 and) 2.16 LTS:

https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.0-2.7.9-and-2.1.18-released

[PallHaraldsson]

I see 2.16.0 is already in Julia: https://github.com/JuliaLang/julia/pull/30618

@samoconnor, I'm not sure who to ask, but is this package abandoned, or redundant since (later) MbedLTS is in Julia? I'm not sure if/who anyone has to use this package (maybe it's a broader wrapper for MbedTLS) and the insecure 2.13 is a problem. I thought this might be for pre-0.7 users, but at least this package is for 0.7+ now. From the README seems wrong (and it's even outdated):

"Current supported mbedtls version: 2.13.1"

[quinnj]

Fixed in https://github.com/JuliaWeb/MbedTLS.jl/commit/0e65ee9385ca587384abe6d7cf532079e3895bb9