Friday, December 6, 2024

Anyone using AWS.Client? You need Rawhide.

Anyone who uses the client-side HTTPS functionality of the Ada Web
Server library needs to know about CVE-2024-37015. HTTPS requests made
with AWS.Client are vulnerable to monster-in-the-middle attacks.

Here's the announcement from Adacore:
https://docs.adacore.com/corp/security-advisories/SEC.AWS-0031-v2.pdf

Although the vulnerability was disclosed in August, version 25.0.0 is
the only public release that includes the fix. It is now finally
available in Fedora, but only in Rawhide.

The fix comes with API changes that make it difficult to backport to
older versions. That also means that programs using AWS will probably
need to be adapted to use version 25. Furthermore, AWS 25 needs
Gnatcoll 25, and as usual each new library version has a new soname.
If we would push AWS 25 and Gnatcoll 25 as updates to Fedora 40 and 41,
then any programs using Gnatcoll would stop working when users install
the update, even if they have nothing to do with AWS. That would be bad.

Thus, AWS.Client in Fedora 40 and 41 should not be used except on
isolated networks where everything on the network is fully trusted.
Only in Rawhide (which will become Fedora 42) is AWS.Client suitable
for use on the Internet.

If your programs use AWS.Client on the Internet, these are your options:

1: Install Rawhide and follow the development version, accepting the
instability and the higher maintenance burden, until Fedora 42 is
released. Adapt your programs to the API changes in AWS 25. Recompile
more or less all of your own programs. Expect further recompilations
before the release date, such as when the soname of Libgnat will
change some time in January.

2: Download the source RPM packages of AWS 25 and Gnatcoll 25 from
Rawhide, and compile them yourself on Fedora 41. Adapt your programs
to the API changes, and also recompile anything that uses Gnatcoll.

This situation is not how I wish it were, but there are limits to what
packagers can do when the upstream developers don't make clean bugfix
releases.

Björn Persson

No comments:

Post a Comment