Skip to content

allow http-client-tls-0.4, crypton-x509*-1.9, tls-2.2+, jose-1.3#8050

Open
juhp wants to merge 1 commit into
masterfrom
tls-2.2-crypton-1.1
Open

allow http-client-tls-0.4, crypton-x509*-1.9, tls-2.2+, jose-1.3#8050
juhp wants to merge 1 commit into
masterfrom
tls-2.2-crypton-1.1

Conversation

@juhp

@juhp juhp commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown
Member

Closes: #7929 #7966 #8033

Addresses https://haskell.github.io/security-advisories/advisory/HSEC-2026-0008.html (crypton-x509-validation, crypton-x509)

@ysangkok

ysangkok commented Jun 20, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

@juhp You should not need to disable dhall, as it has a flag use-http-client-tls that we could disable.

BTW I have fixed servant and smtp-mail

@jappeace

jappeace commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

mysql-haskell has a flag too which is enabled by default.

@woffs

woffs commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

just released amqp-utils-0.6.8.0 to manage this

@juhp juhp force-pushed the tls-2.2-crypton-1.1 branch from c2461c8 to 84163f0 Compare June 25, 2026 14:37
@juhp

juhp commented Jun 25, 2026
edited
Loading

Copy link
Copy Markdown
Member Author

I updated the PR; although it sounds like Kazu doesn't feel the HSEC issue is really exploitable: so not very serious perhaps? Though I suppose for Stackage LTS users in an enterprise setting there may be compliance requirements, etc.

One can see the full list of packages that will be disable in the changes.
I did open upstream issues for all the remaining top level packages today that didn't have them.

@juhp juhp marked this pull request as ready for review June 25, 2026 14:40
@juhp juhp changed the title allow http-client-tls-0.4, crypton-x509*-1.9, tls-2.2, jose-1.3 allow http-client-tls-0.4, crypton-x509*-1.9, tls-2.2+, jose-1.3 Jun 25, 2026
@wraithm wraithm mentioned this pull request Jun 25, 2026
Merged
@ysangkok ysangkok mentioned this pull request Jun 25, 2026
Open
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mihaimaruseac mihaimaruseac mihaimaruseac approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

crypton-1.1 & tls-2.4

5 participants

@juhp @ysangkok @jappeace @woffs @mihaimaruseac