forked from pool/mbedtls
Accepting request 337106 from devel:libraries:c_c++
- Update to 1.3.14 * Added fix for CVE-2015-5291 (boo#949380) to prevent heap corruption due to buffer overflow of the hostname or session ticket. Found by Guido Vranken, Intelworks. OBS-URL: https://build.opensuse.org/request/show/337106 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mbedtls?expand=0&rev=5
This commit is contained in:
parent
5679e57a39
commit
22197980c8
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:67a593027b6a442a4fa5b6c224c4ac8cdae5be721f5a28a11d34f10dcda441cb
|
||||
size 1731809
|
3
mbedtls-1.3.14-gpl.tgz
Normal file
3
mbedtls-1.3.14-gpl.tgz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:be76915bc406b4c4109629624baa5bf610a805d9976404e4086d44e5e6c86ff8
|
||||
size 1744343
|
@ -1,3 +1,78 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Oct 8 06:53:02 UTC 2015 - mpluskal@suse.com
|
||||
|
||||
- Update to 1.3.14
|
||||
* Added fix for CVE-2015-5291 (boo#949380) to prevent heap corruption due to buffer
|
||||
overflow of the hostname or session ticket. Found by Guido Vranken,
|
||||
Intelworks.
|
||||
* Fix stack buffer overflow in pkcs12 decryption (used by
|
||||
mbedtls_pk_parse_key(file)() when the password is > 129 bytes. Found by
|
||||
Guido Vranken, Intelworks. Not triggerable remotely.
|
||||
* Fix potential buffer overflow in mbedtls_mpi_read_string().
|
||||
Found by Guido Vranken, Intelworks. Not exploitable remotely in the context
|
||||
of TLS, but might be in other uses. On 32 bit machines, requires reading a
|
||||
string of close to or larger than 1GB to exploit; on 64 bit machines, would
|
||||
require reading a string of close to or larger than 2^62 bytes.
|
||||
* Fix potential random memory allocation in mbedtls_pem_read_buffer()
|
||||
on crafted PEM input data. Found and fix provided by Guido Vranken,
|
||||
Intelworks. Not triggerable remotely in TLS. Triggerable remotely if you
|
||||
accept PEM data from an untrusted source.
|
||||
* Fix potential double-free if ssl_set_psk() is called repeatedly on
|
||||
the same ssl_context object and some memory allocations fail. Found by
|
||||
Guido Vranken, Intelworks. Can not be forced remotely.
|
||||
* Fix possible heap buffer overflow in base64_encode() when the input
|
||||
buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
|
||||
Intelworks. Found by Guido Vranken. Not trigerrable remotely in TLS.
|
||||
* Fix potential heap buffer overflow in servers that perform client
|
||||
authentication against a crafted CA cert. Cannot be triggered remotely
|
||||
unless you allow third parties to pick trust CAs for client auth. Found by
|
||||
Guido Vranken, Intelworks.
|
||||
* Fix compile error in net.c with musl libc. Found and patch provided by
|
||||
zhasha (#278).
|
||||
* Fix macroization of 'inline' keywork when building as C++. (#279)
|
||||
* Added checking of hostname length in ssl_set_hostname() to ensure domain
|
||||
names are compliant with RFC 1035.
|
||||
- Changes for 1.3.13
|
||||
* Fix possible client-side NULL pointer dereference (read) when the client
|
||||
tries to continue the handshake after it failed (a misuse of the API).
|
||||
(Found and patch provided by Fabian Foerg, Gotham Digital Science using afl-fuzz.)
|
||||
* Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
|
||||
signatures. (Found by Florian Weimer, Red Hat.)
|
||||
https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
|
||||
* Setting SSL_MIN_DHM_BYTES in config.h had no effect (overriden in ssl.h)
|
||||
(found by Fabio Solari) (#256)
|
||||
* Fix bug in mbedtls_rsa_public() and mbedtls_rsa_private() that could
|
||||
result trying to unlock an unlocked mutex on invalid input (found by
|
||||
Fredrik Axelsson) (#257)
|
||||
* Fix -Wshadow warnings (found by hnrkp) (#240)
|
||||
* Fix unused function warning when using MBEDTLS_MDx_ALT or
|
||||
MBEDTLS_SHAxxx_ALT (found by Henrik) (#239)
|
||||
* Fix memory corruption in pkey programs (found by yankuncheng) (#210)
|
||||
* Fix memory corruption on client with overlong PSK identity, around
|
||||
SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by
|
||||
Aleksandrs Saveljevs) (#238)
|
||||
* Fix off-by-one error in parsing Supported Point Format extension that
|
||||
caused some handshakes to fail.
|
||||
* When verifying a certificate chain, if an intermediate certificate is
|
||||
trusted, no later cert is checked. (suggested by hannes-landeholm)
|
||||
(#220).
|
||||
- Changes for 1.3.12
|
||||
* Increase the minimum size of Diffie-Hellman parameters accepted by the
|
||||
client to 1024 bits, to protect against Logjam attack.
|
||||
* Increase the size of default Diffie-Hellman parameters on the server to
|
||||
2048 bits. This can be changed with ssl_set_dh_params().
|
||||
* Fix thread-safety issue in SSL debug module (found by Edwin van Vliet).
|
||||
* Some example programs were not built using make, not included in Visual
|
||||
Studio projects (found by Kristian Bendiksen).
|
||||
* Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo
|
||||
Leisink).
|
||||
* Fix missing -static-ligcc when building shared libraries for Windows with
|
||||
make.
|
||||
* Fix compile error with armcc5 --gnu.
|
||||
* Add SSL_MIN_DHM_BYTES configuration parameter in config.h to choose the
|
||||
minimum size of Diffie-Hellman parameters accepted by the client.
|
||||
* The PEM parser now accepts a trailing space at end of lines (#226).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jul 29 10:16:37 UTC 2015 - dimstar@opensuse.org
|
||||
|
||||
|
@ -18,7 +18,7 @@
|
||||
|
||||
%define lib_name lib%{name}9
|
||||
Name: mbedtls
|
||||
Version: 1.3.11
|
||||
Version: 1.3.14
|
||||
Release: 0
|
||||
Summary: Open Source embedded SSL/TLS cryptographic library
|
||||
License: GPL-2.0+
|
||||
|
Loading…
Reference in New Issue
Block a user