Mbed TLS is not thread-aware when built with the default configuration. Please see here for more info: https://tls.mbed.org/kb/development/thread-safety-and-multi-threading Please note that by not sharing contexts between threads the authors not only mean explicit context sharing between threads, but also implicit context sharing which happens when contexts refer to each other internally. The latter is the source of the following problem. The current EPEL mbedtls package is built without defining MBEDTLS_THREADING_C and MBEDTS_THREADING_PTHREAD in config.h (default configuration). When being run, such a library does not have internal synchronization when accessing linked contexts internally from multiple threads even though a keen user has taken measures to protect their explicitly created contexts with mutexes or avoided sharing contexts altogether. This, in turn, leads to undefined behaviour, hard-to-debug TLS-related errors and possible state corruption which also means it can be exploited. Please see here for more info: https://github.com/ARMmbed/mbedtls/issues/3544 We believe that since Centos and Fedora are not embedded systems by default and since Mbed TLS is widely used as a server TLS library, it MUST be compiled with thread awareness. The proposed solution would be to add the following lines to the RPM spec as it is done in Archlinux for example: https://github.com/archlinux/svntogit-community/blob/packages/mbedtls/trunk/PKGBUILD > # enable flags for non-embedded systems > sed -i 's|//\(#define MBEDTLS_THREADING_C\)|\1|' include/mbedtls/config.h > sed -i 's|//\(#define MBEDTLS_THREADING_PTHREAD\)|\1|' include/mbedtls/config.h Another solution would be to have two distinct packages - with and without thread awareness - explicitly documented as such.
This bug report affects only EPEL 6 and 7. We are building Mbed TLS with MBEDTLS_THREADING_C and MBEDTS_THREADING_PTHREAD support for all Fedora branches and EPEL 8. https://src.fedoraproject.org/rpms/mbedtls/blob/master/f/mbedtls.spec We will backport it to EPEL7 and EPEL6.
FEDORA-EPEL-2020-1550ae9e4c has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-1550ae9e4c
FEDORA-EPEL-2020-929bca39af has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-929bca39af
Thank you for the quick reaction!
FEDORA-EPEL-2020-929bca39af has been pushed to the Fedora EPEL 7 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-929bca39af See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2020-1550ae9e4c has been pushed to the Fedora EPEL 6 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-1550ae9e4c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2020-929bca39af has been pushed to the Fedora EPEL 7 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-EPEL-2020-1550ae9e4c has been pushed to the Fedora EPEL 6 stable repository. If problem still persists, please make note of it in this bug report.