mdebtls 3.6.3 & CVEs

[etienne-lms]

I'm being asked a couple of questions I think are worth being mentioned here. Mbedtsl has recently published 2 CVEs and a 3.6.3 release to address them:

• CVE-2025-27809: (mbedtls post), (NIST post)
• CVE-2025-27810: (mbedtls post), (NIST post)

Up to my knowledge, services provided by OP-TEE are not affected by these issues that relate to SSL server authentication and handshake sequences.

A question that was raised in this scope is how one can easily track the version of the (somewhat) external components embedded in OP-TEE to check whether new published vulnerabilities affect OP-TEE or not. I'm specifically considering here mbedlts, tomcrypt and zlib libraries.
Could OP-TEE source tree host a SBOM-like file describing these dependencies? Or maybe an explicit mention in OP-TEE docs of the version these libs are based on.

Another question is, since mbedtls decides to start an LTS management branch for 3.6.3, would it be worth for OP-TEE to upgrade to that version? Its APIs are fully compliant with the one of version 3.6.2 we're currently based on (as of OP-TEE release tag 4.5.0), it should not be to hard to upgrade to.

Thoughts are welcome.

[jenswi-linaro]

A question that was raised in this scope is how one can easily track the version of the (somewhat) external components embedded in OP-TEE to check whether new published vulnerabilities affect OP-TEE or not. I'm specifically considering here mbedlts, tomcrypt and zlib libraries. Could OP-TEE source tree host a SBOM-like file describing these dependencies?

Sure, the information is already in the git, but we could also update a text file in the root. What format do you have in mind?

Or maybe an explicit mention in OP-TEE docs of the version these libs are based on.

That seems hard to keep up to date.

Another question is, since mbedtls decides to start an LTS management branch for 3.6.3, would it be worth for OP-TEE to upgrade to that version? Its APIs are fully compliant with the one of version 3.6.2 we're currently based on (as of OP-TEE release tag 4.5.0), it should not be to hard to upgrade to.

The instructions from the last import are in commit 4d211f3 ("Import mbedtls-3.6.2"). Patches are welcome! :-)

[jforissier]

Another question is, since mbedtls decides to start an LTS management branch for 3.6.3, would it be worth for OP-TEE to upgrade to that version? Its APIs are fully compliant with the one of version 3.6.2 we're currently based on (as of OP-TEE release tag 4.5.0), it should not be to hard to upgrade to.

The instructions from the last import are in commit 4d211f3 ("Import mbedtls-3.6.2"). Patches are welcome! :-)

@etienne-lms I have created the import branch: https://github.com/OP-TEE/optee_os/tree/import/mbedtls-3.6.3 (from current master). Please create a pull request against it if you decide to do the upgrade. Thanks!

[etienne-lms]

Thanks @jforissier.

Could OP-TEE source tree host a SBOM-like file describing these dependencies?

Sure, the information is already in the git, but we could also update a text file in the root. What format do you have in mind?

I don't have a precise format in mind. From https://cve-bin-tool.readthedocs.io/en/latest/how_to_guides/sbom.html it seems some formats would be preferred. I don't know much about them.

Or maybe an explicit mention in OP-TEE docs of the version these libs are based on.

That seems hard to keep up to date.

Agree.

The instructions from the last import are in commit 4d211f3 ("Import mbedtls-3.6.2"). Patches are welcome! :-)

Sure :^)
Thanks @jforissier for the branch.

[etienne-lms]

#7337

[github-actions]

This issue has been marked as a stale issue because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this issue will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time.