Fix the ChangeLog for clarity, english and credit

This commit is contained in:
Simon Butcher 2018-04-30 17:23:00 +01:00
parent 07d1d5f270
commit 88cc94168c

View file

@ -3,26 +3,27 @@ mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS x.x.x branch released xxxx-xx-xx
Security
* Fix a bug in the X.509 module potentially leading to a buffer overread
during CRT verification or to invalid or omitted checks for certificate
validity. The former can be triggered remotely, while the latter requires
a non DER-compliant certificate correctly signed by a trusted CA, or a
trusted CA with a non DER-compliant certificate. Found by luocm on GitHub.
Fixes #825.
* Fix buffer length assertion in the ssl_parse_certificate_request()
function which leads to an arbitrary overread of the message buffer. The
overreads could occur upon receiving a message malformed at the point
where an optional signature algorithms list is expected in the cases of
the signature algorithms section being too short. In the debug builds
the overread data is printed to the standard output.
* Fix an issue in the X.509 module which could lead to a buffer overread
during certificate validation. Additionally, the issue could also lead to
unnecessary callback checks being made or to some validation checks to be
omitted. The overread could be triggered remotely, while the other issues
would require a non DER-compliant certificate to be correctly signed by a
trusted CA, or a trusted CA with a non DER-compliant certificate. Found by
luocm. Fixes #825.
* Fix the buffer length assertion in the ssl_parse_certificate_request()
function which led to an arbitrary overread of the message buffer. The
overreads could be caused by receiving a malformed message at the point
where an optional signature algorithms list is expected when the signature
algorithms section is too short. In builds with debug output, the overread
data is output with the debug data.
* Fix a client-side bug in the validation of the server's ciphersuite choice
potentially leading to the client accepting a ciphersuite it didn't offer
or one that cannot be used with the (D)TLS version chosen by the server.
This may lead to corruption of internal data structures for some
configurations.
which could potentially lead to the client accepting a ciphersuite it didn't
offer or a ciphersuite that cannot be used with the TLS or DTLS version
chosen by the server. This could lead to corruption of internal data
structures for some configurations.
Bugfix
* Fix spurious uninitialized variable warning in cmac.c. Fix independently
* Fix a spurious uninitialized variable warning in cmac.c. Fix independently
contributed by Brian J Murray and David Brown.
* Add missing dependencies in test suites that led to build failures
in configurations that omit certain hashes or public-key algorithms.
@ -30,15 +31,16 @@ Bugfix
* Fix C89 incompatibility in benchmark.c. Contributed by Brendan Shanks.
#1353
* Add missing dependencies for MBEDTLS_HAVE_TIME_DATE and
MBEDTLS_VERSION_FEATURES in test suites. Contributed by Deomid Ryabkov.
Fixes #1299, #1475.
* Fix dynamic library building process with Makefile on Mac OS X. Fixed by
mnacamura.
MBEDTLS_VERSION_FEATURES in some test suites. Contributed by
Deomid Ryabkov. Fixes #1299, #1475.
* Fix the Makefile build process for building shared libraries on Mac OS X.
Fixed by mnacamura.
* Fix parsing of PKCS#8 encoded Elliptic Curve keys. Previously Mbed TLS was
unable to parse keys with only the optional parameters field of the
ECPrivateKey structure. Found by jethrogb, fixed in #1379.
* Return plaintext data sooner on unpadded CBC decryption, as stated in
the mbedtls_cipher_update() documentation. Contributed by Andy Leiserson.
unable to parse keys which had only the optional parameters field of the
ECPrivateKey structure. Found by Jethro Beekman, fixed in #1379.
* Return the plaintext data more quickly on unpadded CBC decryption, as
stated in the mbedtls_cipher_update() documentation. Contributed by
Andy Leiserson.
* Fix overriding and ignoring return values when parsing and writing to
a file in pk_sign program. Found by kevlut in #1142.
* Fix buffer length assertions in the ssl_parse_certificate_request()
@ -48,8 +50,8 @@ Bugfix
decompression.
Changes
* Support cmake build where Mbed TLS is a subproject. Fix
contributed independently by Matthieu Volat and Arne Schwabe.
* Support cmake builds where Mbed TLS is a subproject. Fix contributed
independently by Matthieu Volat and Arne Schwabe.
* Improve testing in configurations that omit certain hashes or
public-key algorithms. Includes contributions by Gert van Dijk.
* Improve negative testing of X.509 parsing.
@ -63,7 +65,7 @@ Changes
Krylov.
* Improve the documentation of mbedtls_ssl_write(). Suggested by
Paul Sokolovsky in #1356.
* Add an option in the makefile to support ar utilities where the operation
* Add an option in the Makefile to support ar utilities where the operation
letter must not be prefixed by '-', such as LLVM. Found and fixed by
Alex Hixon.
* Allow configuring the shared library extension by setting the DLEXT