Parse HelloVerifyRequest buffer overread: add changelog entry

This commit is contained in:
Gilles Peskine 2019-09-27 14:07:00 +02:00
parent d5c4a7cc11
commit afbcf97c20

View file

@ -20,6 +20,8 @@ Security
timings on the comparison in the key generation enabled the attacker to
learn leading bits of the ephemeral key used during ECDSA signatures and to
recover the private key. Reported by Jeremy Dubeuf.
* Fix a potentially remotely exploitable buffer overread in a
DTLS client when parsing the Hello Verify Request message.
Bugfix
* Remove redundant line for getting the bitlen of a bignum, since the variable