diff --git a/mbedtls.changes b/mbedtls.changes index e558012..9fca37d 100644 --- a/mbedtls.changes +++ b/mbedtls.changes @@ -1,3 +1,47 @@ +------------------------------------------------------------------- +Wed Sep 9 11:24:12 UTC 2020 - Dirk Mueller + +- update to 2.24.0: + * see https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0 + * Fix a vulnerability in the verification of X.509 certificates when matching + the expected common name (the cn argument of mbedtls_x509_crt_verify()) + with the actual certificate name: when the subjecAltName extension is + present, the expected name was compared to any name in that extension + regardless of its type. This means that an attacker could for example + impersonate a 4-bytes or 16-byte domain by getting a certificate for the + corresponding IPv4 or IPv6 (this would require the attacker to control that + IP address, though). Similar attacks using other subjectAltName name types + might be possible. + * When checking X.509 CRLs, a certificate was only considered as revoked if + its revocationDate was in the past according to the local clock if + available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE, + certificates were never considered as revoked. On builds with + MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for + example, an untrusted OS attacking a secure enclave) could prevent + revocation of certificates via CRLs. Fixed by no longer checking the + revocationDate field, in accordance with RFC 5280. Reported by yuemonangong + in #3340. Reported independently and fixed by Raoul Strackx and Jethro + * In (D)TLS record decryption, when using a CBC ciphersuites without the + Encrypt-then-Mac extension, use constant code flow memory access patterns + to extract and check the MAC. This is an improvement to the existing + countermeasure against Lucky 13 attacks. The previous countermeasure was + effective against network-based attackers, but less so against local + attackers. The new countermeasure defends against local attackers, even if + they have access to fine-grained measurements. In particular, this fixes a + local Lucky 13 cache attack found and reported by Tuba Yavuz, Farhaan + Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler (University of + Florida) and Dave Tian (Purdue University). + * Fix side channel in RSA private key operations and static (finite-field) + Diffie-Hellman. An adversary with precise enough timing and memory access + information (typically an untrusted operating system attacking a secure + enclave) could bypass an existing counter-measure (base blinding) and + potentially fully recover the private key. + * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der(). Credit to + OSS-Fuzz for detecting the problem and to Philippe Antoine for pinpointing + the problematic code. + * Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused + application data from memory. + ------------------------------------------------------------------- Mon Sep 7 01:37:34 UTC 2020 - Stefan BrĂ¼ns diff --git a/mbedtls.spec b/mbedtls.spec index f1a3623..7c0fd37 100644 --- a/mbedtls.spec +++ b/mbedtls.spec @@ -20,7 +20,7 @@ %define lib_crypto libmbedcrypto5 %define lib_x509 libmbedx509-1 Name: mbedtls -Version: 2.23.0 +Version: 2.24.0 Release: 0 Summary: Libraries for crypto and SSL/TLS protocols License: Apache-2.0 diff --git a/v2.23.0.tar.gz b/v2.23.0.tar.gz deleted file mode 100644 index 5b7f8da..0000000 --- a/v2.23.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9933fe6b5991d5308e183a5a07454f76d7054721ba269d0c3811b227cb629e7a -size 3877270 diff --git a/v2.24.0.tar.gz b/v2.24.0.tar.gz new file mode 100644 index 0000000..4b550eb --- /dev/null +++ b/v2.24.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d436ae4892bd80329ca18a3960052fbb42d3f1f46c7519711d6763621ca6cfa0 +size 3911881