mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-23 04:45:49 +01:00
Merge remote-tracking branch 'upstream-restricted/pr/453' into mbedtls-2.1-restricted
This commit is contained in:
commit
f725bea9b2
63
ChangeLog
63
ChangeLog
@ -1,44 +1,46 @@
|
||||
mbed TLS ChangeLog (Sorted per branch, date)
|
||||
|
||||
= mbed TLS 2.1.10 branch released 2017-xx-xx
|
||||
= mbed TLS 2.1.10 branch released 2018-02-03
|
||||
|
||||
Security
|
||||
* Fix buffer overflow in RSA-PSS verification when the hash is too
|
||||
large for the key size. Found by Seth Terashima, Qualcomm Product
|
||||
Security Initiative, Qualcomm Technologies Inc.
|
||||
* Fix buffer overflow in RSA-PSS verification when the unmasked
|
||||
data is all zeros.
|
||||
* Fix unsafe bounds check in ssl_parse_client_psk_identity() when adding
|
||||
64kB to the address of the SSL buffer wraps around.
|
||||
* Fix a potential heap buffer overflow in mbedtls_ssl_write. When the (by
|
||||
* Fix a heap corruption issue in the implementation of the truncated HMAC
|
||||
extension. When the truncated HMAC extension is enabled and CBC is used,
|
||||
sending a malicious application packet could be used to selectively corrupt
|
||||
6 bytes on the peer's heap, which could potentially lead to crash or remote
|
||||
code execution. The issue could be triggered remotely from either side in
|
||||
both TLS and DTLS. CVE-2018-0488
|
||||
* Fix a buffer overflow in RSA-PSS verification when the hash was too large
|
||||
for the key size, which could potentially lead to crash or remote code
|
||||
execution. Found by Seth Terashima, Qualcomm Product Security Initiative,
|
||||
Qualcomm Technologies Inc. CVE-2018-0487
|
||||
* Fix buffer overflow in RSA-PSS verification when the unmasked data is all
|
||||
zeros.
|
||||
* Fix an unsafe bounds check in ssl_parse_client_psk_identity() when adding
|
||||
64 KiB to the address of the SSL buffer and causing a wrap around.
|
||||
* Fix a potential heap buffer overflow in mbedtls_ssl_write(). When the (by
|
||||
default enabled) maximum fragment length extension is disabled in the
|
||||
config and the application data buffer passed to mbedtls_ssl_write
|
||||
is larger than the internal message buffer (16384 bytes by default), the
|
||||
latter overflows. The exploitability of this issue depends on whether the
|
||||
application layer can be forced into sending such large packets. The issue
|
||||
was independently reported by Tim Nordell via e-mail and by Florin Petriuc
|
||||
and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022. Fixes #707.
|
||||
* Tighten should-be-constant-time memcmp against compiler optimizations.
|
||||
and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022.
|
||||
Fixes #707.
|
||||
* Add a provision to prevent compiler optimizations breaking the time
|
||||
constancy of mbedtls_ssl_safer_memcmp().
|
||||
* Ensure that buffers are cleared after use if they contain sensitive data.
|
||||
Changes were introduced in multiple places in the library.
|
||||
* Set PEM buffer to zero before freeing it, to avoid decoded private keys
|
||||
being leaked to memory after release.
|
||||
* Fix dhm_check_range() failing to detect trivial subgroups and potentially
|
||||
leaking 1 bit of the private key. Reported by prashantkspatil.
|
||||
* Make mbedtls_mpi_read_binary constant-time with respect to
|
||||
the input data. Previously, trailing zero bytes were detected
|
||||
and omitted for the sake of saving memory, but potentially
|
||||
leading to slight timing differences.
|
||||
Reported by Marco Macchetti, Kudelski Group.
|
||||
* Make mbedtls_mpi_read_binary() constant-time with respect to the input
|
||||
data. Previously, trailing zero bytes were detected and omitted for the
|
||||
sake of saving memory, but potentially leading to slight timing
|
||||
differences. Reported by Marco Macchetti, Kudelski Group.
|
||||
* Wipe stack buffer temporarily holding EC private exponent
|
||||
after keypair generation.
|
||||
* Fix heap corruption in implementation of truncated HMAC extension.
|
||||
When the truncated HMAC extension is enabled and CBC is used,
|
||||
sending a malicious application packet can be used to selectively
|
||||
corrupt 6 bytes on the peer's heap, potentially leading to crash or
|
||||
remote code execution. This can be triggered remotely from either
|
||||
side in both TLS and DTLS.
|
||||
* Fix a potential heap buffer overread in ALPN extension parsing
|
||||
* Fix a potential heap buffer over-read in ALPN extension parsing
|
||||
(server-side). Could result in application crash, but only if an ALPN
|
||||
name larger than 16 bytes had been configured on the server.
|
||||
* Change default choice of DHE parameters from untrustworthy RFC 5114
|
||||
@ -83,11 +85,11 @@ Bugfix
|
||||
* Don't print X.509 version tag for v1 CRT's, and omit extensions for
|
||||
non-v3 CRT's.
|
||||
* Fix bugs in RSA test suite under MBEDTLS_NO_PLATFORM_ENTROPY. #1023 #1024
|
||||
* Fix net_would_block to avoid modification by errno through fcntl call.
|
||||
* Fix net_would_block() to avoid modification by errno through fcntl() call.
|
||||
Found by nkolban. Fixes #845.
|
||||
* Fix handling of handshake messages in mbedtls_ssl_read in case
|
||||
* Fix handling of handshake messages in mbedtls_ssl_read() in case
|
||||
MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
|
||||
* Add a check for invalid private parameters in ecdsa_sign.
|
||||
* Add a check for invalid private parameters in ecdsa_sign().
|
||||
Reported by Yolan Romailler.
|
||||
* Fix word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64.
|
||||
* Add size-checks for record and handshake message content, securing
|
||||
@ -95,13 +97,14 @@ Bugfix
|
||||
* Fix crash when calling mbedtls_ssl_cache_free() twice. Found by
|
||||
MilenkoMitrovic, #1104
|
||||
* Fix mbedtls_timing_alarm(0) on Unix and MinGw.
|
||||
* Fix use of uninitialized memory in mbedtls_timing_get_timer when reset=1.
|
||||
* Fix use of uninitialized memory in mbedtls_timing_get_timer() when reset=1.
|
||||
* Fix issue in RSA key generation program programs/x509/rsa_genkey
|
||||
where the failure of CTR DRBG initialization lead to freeing an
|
||||
RSA context without proper initialization beforehand.
|
||||
* Fix bug in cipher decryption with MBEDTLS_PADDING_ONE_AND_ZEROS that
|
||||
sometimes accepted invalid padding. (Not used in TLS.) Found and fixed
|
||||
by Micha Kraus.
|
||||
* Fix an issue in the cipher decryption with the mode
|
||||
MBEDTLS_PADDING_ONE_AND_ZEROS that sometimes accepted invalid padding.
|
||||
Note, this padding mode is not used by the TLS protocol. Found and fixed by
|
||||
Micha Kraus.
|
||||
|
||||
Changes
|
||||
* Extend cert_write example program by options to set the CRT version
|
||||
|
Loading…
Reference in New Issue
Block a user