From f92c86e44d5c33ad2a895cf7f0b989737a60d252 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 7 Jan 2016 13:18:01 +0100 Subject: [PATCH] Update reference to attack in ChangeLog We couldn't do that before the attack was public --- ChangeLog | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index e21187fff..5dcb5a207 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,7 +6,10 @@ Security * Fix potential double free when mbedtls_asn1_store_named_data() fails to allocate memory. Only used for certificate generation, not triggerable remotely in SSL/TLS. Found by RafaƂ Przywara. #367 - * Disable MD5 handshake signatures in TLS 1.2 by default + * Disable MD5 handshake signatures in TLS 1.2 by default to prevent the + SLOTH attack on TLS 1.2 server authentication (other attacks from the + SLOTH paper do not apply to any version of mbed TLS or PolarSSL). + https://www.mitls.org/pages/attacks/SLOTH Bugfix * Fix over-restrictive length limit in GCM. Found by Andreas-N. #362