forked from pool/mbedtls
Accepting request 1033622 from security:tls
OBS-URL: https://build.opensuse.org/request/show/1033622 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mbedtls?expand=0&rev=34
This commit is contained in:
commit
14a5de7fc0
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:6519579b836ed78cc549375c7c18b111df5717e86ca0eeff4cb64b2674f424cc
|
|
||||||
size 3711231
|
|
3
mbedtls-2.28.1.tar.gz
Normal file
3
mbedtls-2.28.1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:6797a7b6483ef589deeab8d33d401ed235d7be25eeecda1be8ddfed406d40ff4
|
||||||
|
size 3914247
|
121
mbedtls.changes
121
mbedtls.changes
@ -1,3 +1,124 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Nov 4 16:53:36 UTC 2022 - Mia Herkt <mia@0x0.st>
|
||||||
|
|
||||||
|
- Update to 2.28.1: (CVE-2022-35409)
|
||||||
|
Default behavior changes
|
||||||
|
|
||||||
|
* mbedtls_cipher_set_iv will now fail with ChaCha20 and
|
||||||
|
ChaCha20+Poly1305 for IV lengths other than 12. The library was
|
||||||
|
silently overwriting this length with 12, but did not inform
|
||||||
|
the caller about it.
|
||||||
|
gh#Mbed-TLS/mbedtls#4301
|
||||||
|
|
||||||
|
Features
|
||||||
|
* When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA
|
||||||
|
crypto feature requirements in the file named by the new macro
|
||||||
|
MBEDTLS_PSA_CRYPTO_CONFIG_FILE instead of the default
|
||||||
|
psa/crypto_config.h. Furthermore you may name an additional
|
||||||
|
file to include after the main file with the macro
|
||||||
|
MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE.
|
||||||
|
|
||||||
|
Security
|
||||||
|
* Zeroize dynamically-allocated buffers used by the PSA Crypto
|
||||||
|
key storage module before freeing them. These buffers contain
|
||||||
|
secret key material, and could thus potentially leak the key
|
||||||
|
through freed heap.
|
||||||
|
* Fix a potential heap buffer overread in TLS 1.2 server-side
|
||||||
|
when MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created
|
||||||
|
with mbedtls_pk_setup_opaque()) is provisioned, and a static
|
||||||
|
ECDH ciphersuite is selected. This may result in an application
|
||||||
|
crash or potentially an information leak.
|
||||||
|
* Fix a buffer overread in DTLS ClientHello parsing in servers
|
||||||
|
with MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled.
|
||||||
|
An unauthenticated client or a man-in-the-middle could cause a
|
||||||
|
DTLS server to read up to 255 bytes after the end of the SSL
|
||||||
|
input buffer. The buffer overread only happens when
|
||||||
|
MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that
|
||||||
|
depends on the exact configuration: 258 bytes if using
|
||||||
|
mbedtls_ssl_cookie_check(), and possibly up to 571 bytes with
|
||||||
|
a custom cookie check function.
|
||||||
|
Reported by the Cybeats PSI Team.
|
||||||
|
|
||||||
|
Bugfix
|
||||||
|
* Fix a memory leak if mbedtls_ssl_config_defaults() is called
|
||||||
|
twice.
|
||||||
|
* Fix several bugs (warnings, compiler and linker errors, test
|
||||||
|
failures) in reduced configurations when MBEDTLS_USE_PSA_CRYPTO
|
||||||
|
is enabled.
|
||||||
|
* Fix a bug in (D)TLS curve negotiation: when
|
||||||
|
MBEDTLS_USE_PSA_CRYPTO was enabled and an ECDHE-ECDSA or
|
||||||
|
ECDHE-RSA key exchange was used, the client would fail to check
|
||||||
|
that the curve selected by the server for ECDHE was indeed one
|
||||||
|
that was offered. As a result, the client would accept any
|
||||||
|
curve that it supported, even if that curve was not allowed
|
||||||
|
according to its configuration.
|
||||||
|
gh#Mbed-TLS/mbedtls#5291
|
||||||
|
* Fix unit tests that used 0 as the file UID. This failed on some
|
||||||
|
implementations of PSA ITS.
|
||||||
|
gh#Mbed-TLS/mbedtls#3838
|
||||||
|
* Fix API violation in mbedtls_md_process() test by adding a call
|
||||||
|
to mbedtls_md_starts().
|
||||||
|
gh#Mbed-TLS/mbedtls#2227
|
||||||
|
* Fix compile errors when MBEDTLS_HAVE_TIME is not defined.
|
||||||
|
Add tests to catch bad uses of time.h.
|
||||||
|
* Fix bug in the alert sending function
|
||||||
|
mbedtls_ssl_send_alert_message() potentially leading to
|
||||||
|
corrupted alert messages being sent in case the function needs
|
||||||
|
to be re-called after initially returning
|
||||||
|
MBEDTLS_SSL_WANT_WRITE.
|
||||||
|
gh#Mbed-TLS/mbedtls#1916
|
||||||
|
* In configurations with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled
|
||||||
|
but none of MBEDTLS_SSL_HW_RECORD_ACCEL,
|
||||||
|
MBEDTLS_SSL_EXPORT_KEYS or MBEDTLS_DEBUG_C, DTLS handshakes
|
||||||
|
using CID would crash due to a null pointer dereference.
|
||||||
|
Fix this.
|
||||||
|
gh#Mbed-TLS/mbedtls#3998
|
||||||
|
* Fix incorrect documentation of mbedtls_x509_crt_profile. The
|
||||||
|
previous documentation stated that the allowed_pks field
|
||||||
|
applies to signatures only, but in fact it does apply to the
|
||||||
|
public key type of the end entity certificate, too.
|
||||||
|
gh#Mbed-TLS/mbedtls#1992
|
||||||
|
* Fix PSA cipher multipart operations using ARC4. Previously, an
|
||||||
|
IV was required but discarded. Now, an IV is rejected, as it
|
||||||
|
should be.
|
||||||
|
* Fix undefined behavior in mbedtls_asn1_find_named_data(), where
|
||||||
|
val is not NULL and val_len is zero. psa_raw_key_agreement()
|
||||||
|
now returns PSA_ERROR_BUFFER_TOO_SMALL when applicable.
|
||||||
|
gh#Mbed-TLS/mbedtls#5735
|
||||||
|
* Fix a bug in the x25519 example program where the removal of
|
||||||
|
MBEDTLS_ECDH_LEGACY_CONTEXT caused the program not to run.
|
||||||
|
gh#Mbed-TLS/mbedtls#4901
|
||||||
|
gh#Mbed-TLS/mbedtls#3191
|
||||||
|
* Encode X.509 dates before 1/1/2000 as UTCTime rather than
|
||||||
|
GeneralizedTime.
|
||||||
|
gh#Mbed-TLS/mbedtls#5465
|
||||||
|
* Fix order value of curve x448.
|
||||||
|
* Fix string representation of DNs when outputting values
|
||||||
|
containing commas and other special characters, conforming to
|
||||||
|
RFC 1779.
|
||||||
|
gh#Mbed-TLS/mbedtls#769
|
||||||
|
* Silence a warning from GCC 12 in the selftest program.
|
||||||
|
gh#Mbed-TLS/mbedtls#5974
|
||||||
|
* Fix mbedtls_asn1_write_mpi() writing an incorrect encoding of
|
||||||
|
0.
|
||||||
|
* Fix resource leaks in mbedtls_pk_parse_public_key() in low
|
||||||
|
memory conditions.
|
||||||
|
* Fix server connection identifier setting for outgoing encrypted
|
||||||
|
records on DTLS 1.2 session resumption. After DTLS 1.2 session
|
||||||
|
resumption with connection identifier, the Mbed TLS client now
|
||||||
|
properly sends the server connection identifier in encrypted
|
||||||
|
record headers.
|
||||||
|
gh#Mbed-TLS/mbedtls#5872
|
||||||
|
* Fix a null pointer dereference when performing some operations
|
||||||
|
on zero represented with 0 limbs (specifically
|
||||||
|
mbedtls_mpi_mod_int() dividing by 2, and
|
||||||
|
mbedtls_mpi_write_string() in base 2).
|
||||||
|
* Fix record sizes larger than 16384 being sometimes accepted
|
||||||
|
despite being non-compliant. This could not lead to a buffer
|
||||||
|
overflow. In particular, application data size was already
|
||||||
|
checked correctly.
|
||||||
|
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Jan 17 13:11:33 UTC 2022 - Guillaume GARDET <guillaume.gardet@opensuse.org>
|
Mon Jan 17 13:11:33 UTC 2022 - Guillaume GARDET <guillaume.gardet@opensuse.org>
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package mbedtls
|
# spec file for package mbedtls
|
||||||
#
|
#
|
||||||
# Copyright (c) 2021 SUSE LLC
|
# Copyright (c) 2022 SUSE LLC
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -20,7 +20,7 @@
|
|||||||
%define lib_crypto libmbedcrypto7
|
%define lib_crypto libmbedcrypto7
|
||||||
%define lib_x509 libmbedx509-1
|
%define lib_x509 libmbedx509-1
|
||||||
Name: mbedtls
|
Name: mbedtls
|
||||||
Version: 2.28.0
|
Version: 2.28.1
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Libraries for crypto and SSL/TLS protocols
|
Summary: Libraries for crypto and SSL/TLS protocols
|
||||||
License: Apache-2.0
|
License: Apache-2.0
|
||||||
|
Loading…
Reference in New Issue
Block a user