2024-03-07 15:01:43 +00:00
|
|
|
Security
|
2024-03-11 12:40:24 +00:00
|
|
|
* When negotiating TLS version on server side, do not fall back to the
|
|
|
|
|
TLS 1.2 implementation of the protocol if it is disabled.
|
2024-03-07 15:01:43 +00:00
|
|
|
- If the TLS 1.2 implementation was disabled at build time, a TLS 1.2
|
2024-03-11 12:40:24 +00:00
|
|
|
client could put the TLS 1.3-only server in an infinite loop processing
|
|
|
|
|
a TLS 1.2 ClientHello, resulting in a denial of service. Reported by
|
|
|
|
|
Matthias Mucha and Thomas Blattmann, SICK AG.
|
2024-03-07 15:01:43 +00:00
|
|
|
- If the TLS 1.2 implementation was disabled at runtime, a TLS 1.2 client
|
2024-03-11 12:40:24 +00:00
|
|
|
was able to successfully establish a TLS 1.2 connection with the server.
|
|
|
|
|
Reported by alluettiv on GitHub.
|
2024-03-14 09:38:03 +00:00
|
|
|
Fixes CVE-2024-28836.
|
