From 534fea790e48face2b597a9dbcbb2a7cc66f36a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 11 Jul 2018 18:27:08 +0200 Subject: [PATCH] Clarify attack conditions in the ChangeLog. Referring to the previous entry could imply that the current one was limited to SHA-384 too, which it isn't. --- ChangeLog | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 93abcd9da..d06c57105 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,10 +19,13 @@ Security * Fix a vulnerability in TLS ciphersuites based on CBC, in (D)TLS 1.0 to 1.2, that allowed a local attacker, able to execute code on the local machine as well as manipulate network packets, to partially recover the - plaintext of messages under some conditions (see previous entry) by using - a cache attack targetting an internal MD/SHA buffer. Connections using - GCM or CCM instead of CBC or using Encrypt-then-Mac (RFC 7366) were not - affected. Found by Kenny Paterson, Eyal Ronen and Adi Shamir. + plaintext of messages under some conditions by using a cache attack + targetting an internal MD/SHA buffer. With TLS or if + mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only worked if + the same secret (for example a HTTP Cookie) has been repeatedly sent over + connections manipulated by the attacker. Connections using GCM or CCM + instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected. + Found by Kenny Paterson, Eyal Ronen and Adi Shamir. * Add a counter-measure against a vulnerability in TLS ciphersuites based on CBC, in (D)TLS 1.0 to 1.2, that allowed a local attacker, able to execute code on the local machine as well as manipulate network packets,