mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-16 08:42:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add CVE IDs to security ChangeLog

Browse Source 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
This commit is contained in:
David Horstmann 2024-08-28 19:04:26 +01:00
parent 18f3bebb6f
commit fedf9a2096
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog
View File

@ -71,11 +71,13 @@ Security
* Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does * Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does
not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when
MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled. MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
CVE-2024-45157
* Fix a stack buffer overflow in mbedtls_ecdsa_der_to_raw() and * Fix a stack buffer overflow in mbedtls_ecdsa_der_to_raw() and
mbedtls_ecdsa_raw_to_der() when the bits parameter is larger than the mbedtls_ecdsa_raw_to_der() when the bits parameter is larger than the
largest supported curve. In some configurations with PSA disabled, largest supported curve. In some configurations with PSA disabled,
all values of bits are affected. This never happens in internal library all values of bits are affected. This never happens in internal library
calls, but can affect applications that call these functions directly. calls, but can affect applications that call these functions directly.
CVE-2024-45158
* With TLS 1.3, when a server enables optional authentication of the * With TLS 1.3, when a server enables optional authentication of the
client, if the client-provided certificate does not have appropriate values client, if the client-provided certificate does not have appropriate values
in keyUsage or extKeyUsage extensions, then the return value of in keyUsage or extKeyUsage extensions, then the return value of
@ -86,6 +88,7 @@ Security
authentication anyway. Only TLS 1.3 servers were affected, and only with authentication anyway. Only TLS 1.3 servers were affected, and only with
optional authentication (required would abort the handshake with a fatal optional authentication (required would abort the handshake with a fatal
alert). alert).
CVE-2024-45159
Bugfix Bugfix
* Fix TLS 1.3 client build and runtime when support for session tickets is * Fix TLS 1.3 client build and runtime when support for session tickets is