Fix the ChangeLog for clarity, english and credit

This commit is contained in:
Simon Butcher 2018-04-30 17:23:00 +01:00
parent 07d1d5f270
commit 88cc94168c

View file

@ -3,26 +3,27 @@ mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS x.x.x branch released xxxx-xx-xx = mbed TLS x.x.x branch released xxxx-xx-xx
Security Security
* Fix a bug in the X.509 module potentially leading to a buffer overread * Fix an issue in the X.509 module which could lead to a buffer overread
during CRT verification or to invalid or omitted checks for certificate during certificate validation. Additionally, the issue could also lead to
validity. The former can be triggered remotely, while the latter requires unnecessary callback checks being made or to some validation checks to be
a non DER-compliant certificate correctly signed by a trusted CA, or a omitted. The overread could be triggered remotely, while the other issues
trusted CA with a non DER-compliant certificate. Found by luocm on GitHub. would require a non DER-compliant certificate to be correctly signed by a
Fixes #825. trusted CA, or a trusted CA with a non DER-compliant certificate. Found by
* Fix buffer length assertion in the ssl_parse_certificate_request() luocm. Fixes #825.
function which leads to an arbitrary overread of the message buffer. The * Fix the buffer length assertion in the ssl_parse_certificate_request()
overreads could occur upon receiving a message malformed at the point function which led to an arbitrary overread of the message buffer. The
where an optional signature algorithms list is expected in the cases of overreads could be caused by receiving a malformed message at the point
the signature algorithms section being too short. In the debug builds where an optional signature algorithms list is expected when the signature
the overread data is printed to the standard output. algorithms section is too short. In builds with debug output, the overread
data is output with the debug data.
* Fix a client-side bug in the validation of the server's ciphersuite choice * Fix a client-side bug in the validation of the server's ciphersuite choice
potentially leading to the client accepting a ciphersuite it didn't offer which could potentially lead to the client accepting a ciphersuite it didn't
or one that cannot be used with the (D)TLS version chosen by the server. offer or a ciphersuite that cannot be used with the TLS or DTLS version
This may lead to corruption of internal data structures for some chosen by the server. This could lead to corruption of internal data
configurations. structures for some configurations.
Bugfix Bugfix
* Fix spurious uninitialized variable warning in cmac.c. Fix independently * Fix a spurious uninitialized variable warning in cmac.c. Fix independently
contributed by Brian J Murray and David Brown. contributed by Brian J Murray and David Brown.
* Add missing dependencies in test suites that led to build failures * Add missing dependencies in test suites that led to build failures
in configurations that omit certain hashes or public-key algorithms. in configurations that omit certain hashes or public-key algorithms.
@ -30,15 +31,16 @@ Bugfix
* Fix C89 incompatibility in benchmark.c. Contributed by Brendan Shanks. * Fix C89 incompatibility in benchmark.c. Contributed by Brendan Shanks.
#1353 #1353
* Add missing dependencies for MBEDTLS_HAVE_TIME_DATE and * Add missing dependencies for MBEDTLS_HAVE_TIME_DATE and
MBEDTLS_VERSION_FEATURES in test suites. Contributed by Deomid Ryabkov. MBEDTLS_VERSION_FEATURES in some test suites. Contributed by
Fixes #1299, #1475. Deomid Ryabkov. Fixes #1299, #1475.
* Fix dynamic library building process with Makefile on Mac OS X. Fixed by * Fix the Makefile build process for building shared libraries on Mac OS X.
mnacamura. Fixed by mnacamura.
* Fix parsing of PKCS#8 encoded Elliptic Curve keys. Previously Mbed TLS was * Fix parsing of PKCS#8 encoded Elliptic Curve keys. Previously Mbed TLS was
unable to parse keys with only the optional parameters field of the unable to parse keys which had only the optional parameters field of the
ECPrivateKey structure. Found by jethrogb, fixed in #1379. ECPrivateKey structure. Found by Jethro Beekman, fixed in #1379.
* Return plaintext data sooner on unpadded CBC decryption, as stated in * Return the plaintext data more quickly on unpadded CBC decryption, as
the mbedtls_cipher_update() documentation. Contributed by Andy Leiserson. stated in the mbedtls_cipher_update() documentation. Contributed by
Andy Leiserson.
* Fix overriding and ignoring return values when parsing and writing to * Fix overriding and ignoring return values when parsing and writing to
a file in pk_sign program. Found by kevlut in #1142. a file in pk_sign program. Found by kevlut in #1142.
* Fix buffer length assertions in the ssl_parse_certificate_request() * Fix buffer length assertions in the ssl_parse_certificate_request()
@ -48,8 +50,8 @@ Bugfix
decompression. decompression.
Changes Changes
* Support cmake build where Mbed TLS is a subproject. Fix * Support cmake builds where Mbed TLS is a subproject. Fix contributed
contributed independently by Matthieu Volat and Arne Schwabe. independently by Matthieu Volat and Arne Schwabe.
* Improve testing in configurations that omit certain hashes or * Improve testing in configurations that omit certain hashes or
public-key algorithms. Includes contributions by Gert van Dijk. public-key algorithms. Includes contributions by Gert van Dijk.
* Improve negative testing of X.509 parsing. * Improve negative testing of X.509 parsing.
@ -63,7 +65,7 @@ Changes
Krylov. Krylov.
* Improve the documentation of mbedtls_ssl_write(). Suggested by * Improve the documentation of mbedtls_ssl_write(). Suggested by
Paul Sokolovsky in #1356. Paul Sokolovsky in #1356.
* Add an option in the makefile to support ar utilities where the operation * Add an option in the Makefile to support ar utilities where the operation
letter must not be prefixed by '-', such as LLVM. Found and fixed by letter must not be prefixed by '-', such as LLVM. Found and fixed by
Alex Hixon. Alex Hixon.
* Allow configuring the shared library extension by setting the DLEXT * Allow configuring the shared library extension by setting the DLEXT