Tidied up style and phrasing of ChangeLog

This commit is contained in:
Simon Butcher 2016-10-16 00:18:54 +01:00
parent c83f470eb8
commit 657c010884

View file

@ -3,29 +3,30 @@ mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 2.1.x branch released 2016-xx-xx = mbed TLS 2.1.x branch released 2016-xx-xx
Security Security
* Remove MBEDTLS_SSL_AEAD_RANDOM_IV option, because it was not compliant * Removed the MBEDTLS_SSL_AEAD_RANDOM_IV option, because it was not compliant
with RFC5116 and could lead to session key recovery in very long TLS with RFC-5116 and could lead to session key recovery in very long TLS
sessions. (H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic - sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
"Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in TLS") TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic.
* Fix potential stack corruption in mbedtls_x509write_crt_der() and https://eprint.iacr.org/2016/475.pdf
* Fixed potential stack corruption in mbedtls_x509write_crt_der() and
mbedtls_x509write_csr_der() when the signature is copied to the buffer mbedtls_x509write_csr_der() when the signature is copied to the buffer
without checking whether there is enough space in the destination. The without checking whether there is enough space in the destination. The
issue cannot be triggered remotely. (found by Jethro Beekman) issue cannot be triggered remotely. Found by Jethro Beekman.
Bugfix Bugfix
* Fix an issue that caused valid certificates being rejected whenever an * Fix an issue that caused valid certificates being rejected whenever an
expired or not yet valid version of the trusted certificate was before the expired or not yet valid version of the trusted certificate was before the
valid version in the trusted certificate list. valid version in the trusted certificate list.
* Fix incorrect handling of block lengths in crypt_and_hash sample program, * Fix incorrect handling of block lengths in crypt_and_hash.c sample program,
when GCM is used. #441 when GCM is used. Found by udf2457. #441
* Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't * Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
enabled unless others were also present. Found by David Fernandez. #428 enabled unless others were also present. Found by David Fernandez. #428
* Fixed cert_app sample program for debug output and for use when no root * Fixed cert_app.c sample program for debug output and for use when no root
certificates are provided. certificates are provided.
* Fix conditional statement that would cause a 1 byte overread in * Fix conditional statement that would cause a 1 byte overread in
mbedtls_asn1_get_int(). Found and fixed by Guido Vranken. #599 mbedtls_asn1_get_int(). Found and fixed by Guido Vranken. #599
* Fixed pthread implementation to avoid unintended double initialisations * Fixed pthread implementation to avoid unintended double initialisations
and double frees. (found by Niklas Amnebratt) and double frees. Found by Niklas Amnebratt.
* Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for * Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for
builds where the configuration MBEDTLS_PEM_WRITE_C is not defined. Found builds where the configuration MBEDTLS_PEM_WRITE_C is not defined. Found
by inestlerode. #559. by inestlerode. #559.