Skip to content

manifest: mbedtls: bump to 3.6.5 #98786

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 6, 2025
Merged

manifest: mbedtls: bump to 3.6.5 #98786

merged 4 commits into from
Nov 6, 2025
+18 −1

Conversation

@valeriosetti
Copy link
Contributor

@valeriosetti valeriosetti commented Nov 3, 2025
edited by jhedberg
Loading

Update Mbed TLS revision to 3.6.5 release.

This PR depends on zephyrproject-rtos/mbedtls#79

Fixes #98994

@github-actions
Copy link

github-actions bot commented Nov 3, 2025
edited
Loading

The following west manifest projects have changed revision in this Pull Request:

Name Old Revision New Revision Diff
mbedtls zephyrproject-rtos/mbedtls@f4c0283 zephyrproject-rtos/mbedtls@c5b06d8 (zephyr_mbedtls_v3.6.5) zephyrproject-rtos/[email protected]

All manifest checks OK

Note: This message is automatically posted and updated by the Manifest GitHub Action.

@github-actions github-actions bot added manifest manifest-mbedtls DNM (manifest) This PR should not be merged (controlled by action-manifest) labels Nov 3, 2025
@zephyrbot zephyrbot added area: mbedTLS / PSA Crypto size: XS A PR changing only a single line of code labels Nov 3, 2025
@valeriosetti valeriosetti requested a review from dleach02 November 3, 2025 14:18
tomi-font
tomi-font previously approved these changes Nov 4, 2025
View reviewed changes
Copy link
Contributor

@tomi-font tomi-font left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

don't forget the release notes entry as well

@zephyrbot zephyrbot added the Release Notes To be mentioned in the release notes label Nov 4, 2025
tomi-font
tomi-font reviewed Nov 4, 2025
View reviewed changes
Copy link
Contributor

@tomi-font tomi-font left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should also explicitly mention the CVEs fixed by this Mbed TLS release at the top of the file?
See for example:

zephyr/doc/releases/release-notes-4.2.rst

Lines 69 to 75 in bde3e69

Security Vulnerability Related
******************************
The following CVEs are addressed by this release:
* :cve:`2025-27809` `TLS clients may unwittingly skip server authentication
<https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1/>`_

@tomi-font
Copy link
Contributor

tomi-font commented Nov 4, 2025

@ceolin @d3zd3z @jhedberg @cfriedt This is probably worth getting in for 4.3? needs one more review on zephyrproject-rtos/mbedtls#79

@jhedberg
Copy link
Member

jhedberg commented Nov 4, 2025
edited
Loading

@ceolin @d3zd3z @jhedberg @cfriedt This is probably worth getting in for 4.3? needs one more review on zephyrproject-rtos/mbedtls#79

This is a strange time to see proposals for module updates. Is this some release that happened after our rc1, and has some critical fixes we need for the release? Why wasn't this done before rc1 as part of #97555?

@tomi-font
Copy link
Contributor

tomi-font commented Nov 4, 2025

This is a strange time to see proposals for module updates. Is this some release that happened after our rc1, and has some critical fixes we need for the release? Why wasn't this done before rc1 as part of #97555?

Hmm yeah admittedly a bit late to the party, this bugfix release happened some weeks ago, it just has two medium security fixes. The Mbed TLS module PR was raised exactly 3 weeks ago by @valeriosetti but has received little attention so far.

Why wasn't this done before rc1 as part of #97555?

As for this question, well... I wasn't even aware of this issue. @d3zd3z is meant to be the maintainer but hasn't been active in maintaining Mbed TLS/TF-M.

Not that big of a deal if this is too much too late for 4.3.

tomi-font
tomi-font reviewed Nov 4, 2025
View reviewed changes
@jhedberg
Copy link
Member

jhedberg commented Nov 4, 2025

I think this could (perhaps should) be considered still for 4.3. However, what's with the failing CI tests?

tomi-font
tomi-font reviewed Nov 5, 2025
View reviewed changes
@zephyrbot zephyrbot requested a review from PavelVPV November 5, 2025 12:28
PavelVPV
PavelVPV previously approved these changes Nov 5, 2025
View reviewed changes
jhedberg
jhedberg previously approved these changes Nov 5, 2025
View reviewed changes
Copy link
Member

@jhedberg jhedberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine, but please don't forget to thet the module PR merged and then update west.yml here.

@tomi-font tomi-font added this to the v4.3.0 milestone Nov 6, 2025
@valeriosetti
manifest: mbedtls: bump to 3.6.5
f1255db 
Update Mbed TLS revision from 3.6.4 to 3.6.5.

Signed-off-by: Valerio Setti <[email protected]>
@valeriosetti valeriosetti dismissed stale reviews from jhedberg and PavelVPV via bfc02c1 November 6, 2025 08:26
@github-actions github-actions bot removed the DNM (manifest) This PR should not be merged (controlled by action-manifest) label Nov 6, 2025
PavelVPV
PavelVPV previously approved these changes Nov 6, 2025
View reviewed changes
tomi-font
tomi-font reviewed Nov 6, 2025
View reviewed changes
valeriosetti and others added 3 commits November 6, 2025 10:53
@valeriosetti
doc: release-notes: notify about Mbed TLS version upgrade
937f249 
Add a note about Mbed TLS version upgrade from 3.6.4 to 3.6.5.
Update also the CVE list accordingly.

Signed-off-by: Valerio Setti <[email protected]>
@PavelVPV @valeriosetti
tests: bsim: bluetooth: mesh: Fix pb_cancel test
12e8022 
Enable retransmissions of Generic Provisioning PDUs. This should fix
pb_cancel test where provisionee fails to receive Link Open PDU due to
parallel PB-GATT advertisement, but since Link Open PDU is not
retransmitted, test fails.

Signed-off-by: Pavel Vasilyev <[email protected]>
@PavelVPV @valeriosetti
tests: bsim: bluetooth: mesh: Fix brg duplicate filtering test
a695949 
Add delay to avoid missed packet by tester.

This fixes brg_subnet_duplicate_filtering test.

Signed-off-by: Pavel Vasilyev <[email protected]>
@zephyrbot zephyrbot requested a review from PavelVPV November 6, 2025 09:56
@jhedberg
Copy link
Member

jhedberg commented Nov 6, 2025

@valeriosetti since this was opened after rc2 it needs a bug report reference as well

@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 6, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@valeriosetti valeriosetti linked an issue Nov 6, 2025 that may be closed by this pull request
Update Mbed TLS to version 3.6.5 #98994
Closed
1 task
@cfriedt cfriedt merged commit cce11a5 into zephyrproject-rtos:main Nov 6, 2025
30 checks passed
@tomi-font tomi-font mentioned this pull request Nov 11, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PavelVPV PavelVPV PavelVPV approved these changes

@ceolin ceolin ceolin approved these changes

@jhedberg jhedberg jhedberg approved these changes

@tomi-font tomi-font tomi-font approved these changes

@d3zd3z d3zd3z Awaiting requested review from d3zd3z

@ithinuel ithinuel Awaiting requested review from ithinuel

@wearyzen wearyzen Awaiting requested review from wearyzen

@dleach02 dleach02 Awaiting requested review from dleach02

@cfriedt cfriedt Awaiting requested review from cfriedt

@kartben kartben Awaiting requested review from kartben

@akredalen akredalen Awaiting requested review from akredalen

@alxelax alxelax Awaiting requested review from alxelax

@Andrewpini Andrewpini Awaiting requested review from Andrewpini

@HaavardRei HaavardRei Awaiting requested review from HaavardRei

@LingaoM LingaoM Awaiting requested review from LingaoM

@nashif nashif Awaiting requested review from nashif

Assignees

@d3zd3z d3zd3z

@ceolin ceolin

Labels

area: Bluetooth Mesh area: Bluetooth area: mbedTLS / PSA Crypto area: Tests Issues related to a particular existing or missing test manifest manifest-mbedtls Release Notes To be mentioned in the release notes size: XS A PR changing only a single line of code

Projects

None yet

Milestone

v4.3.0

Development

Successfully merging this pull request may close these issues.

Update Mbed TLS to version 3.6.5

8 participants

@valeriosetti @tomi-font @jhedberg @PavelVPV @ceolin @d3zd3z @cfriedt @zephyrbot