SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for libmbedtls9-1.3.11-12.1.x86_64.rpm :

* Mon Jun 15 2015 fisiuAATTopensuse.org- Update to 1.3.11:
* Remove bias in mpi_gen_prime (contributed by Pascal Junod).
* Remove potential sources of timing variations (some contributed by Pascal Junod).
* Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated.
* Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated.
* compat-1.2.h and openssl.h are deprecated.
* ssl_set_own_cert() no longer calls pk_check_pair() since the performance impact was bad for some users (this was introduced in 1.3.10).
* Move from SHA-1 to SHA-256 in example programs using signatures (suggested by Thorsten Mühlfelder).
* Remove dependency on sscanf() in X.509 parsing modules.
* Fix compile errors with PLATFORM_NO_STD_FUNCTIONS.
* Fix bug in entropy.c when THREADING_C is also enabled that caused entropy_free() to crash (thanks to Rafał Przywara).
* Fix memory leak when gcm_setkey() and ccm_setkey() are used more than once on the same context.
* Fix bug in ssl_mail_client when password is longer that username (found by Bruno Pape).
* Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules (detected by Clang\'s 3.6 UBSan).
* mpi_size() and mpi_msb() would segfault when called on an mpi that is initialized but not set (found by pravic).
* Fix detection of support for getrandom() on Linux (reported by syzzer) by doing it at runtime (using uname) rather that compile time.
* Fix handling of symlinks by \"make install\" (found by Gaël PORTAY).
* Fix potential NULL pointer dereference (not trigerrable remotely) when ssl_write() is called before the handshake is finished (introduced in 1.3.10) (first reported by Martin Blumenstingl).
* Fix bug in pk_parse_key() that caused some valid private EC keys to be rejected.
* Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
* Fix thread safety bug in RSA operations (found by Fredrik Axelsson).
* Fix hardclock() (only used in the benchmarking program) with some versions of mingw64 (found by kxjhlele).
* Fix potential unintended sign extension in asn1_get_len() on 64-bit platforms.
* Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid).
* Fix compile error when POLARSSL_SSL_DISABLE_RENEGOTATION and POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced in 1.3.10).
* Add missing extern \"C\" guard in aesni.h (reported by amir zamani).
* Add missing dependency on SHA-256 in some x509 programs (reported by Gergely Budai).
* Fix bug related to ssl_set_curves(): the client didn\'t check that the curve picked by the server was actually allowed.- Drop getrandom-syscall-fallback.patch: fixed upstream.
* Wed Apr 01 2015 schwabAATTsuse.de- getrandom-syscall-fallback.patch: Fall back to /dev/urandom if getrandom syscall is not implemented.
* Fri Mar 27 2015 mpluskalAATTsuse.com- Update package categories
* Wed Mar 18 2015 mpluskalAATTsuse.com- Create symlink to ensure compatibility with polarssl
* Mon Mar 16 2015 mpluskalAATTsuse.com- Update provides/obsoletes
* Sun Mar 15 2015 mpluskalAATTsuse.com- Fix sed for includes
* Sun Mar 15 2015 mpluskalAATTsuse.com- Rename to mbedtls- Use cmake macro for building- Update to 1.3.10
* NULL pointer dereference in the buffer-based allocator when the buffer is full and polarssl_free() is called (found by Mark Hasemeyer) (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is not by default).
* Fix remotely-triggerable uninitialised pointer dereference caused by crafted X.509 certificate (TLS server is not affected if it doesn\'t ask for a client certificate) (found using Codenomicon Defensics).
* Fix remotely-triggerable memory leak caused by crafted X.509 certificates (TLS server is not affected if it doesn\'t ask for a client certificate) (found using Codenomicon Defensics).
* Fix potential stack overflow while parsing crafted X.509 certificates (TLS server is not affected if it doesn\'t ask for a client certificate) (found using Codenomicon Defensics).
* Fix timing difference that could theoretically lead to a Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges (reported by Sebastian Schinzel).
* Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
* Add support for Extended Master Secret (draft-ietf-tls-session-hash).
* Add support for Encrypt-then-MAC (RFC 7366).
* Add function pk_check_pair() to test if public and private keys match.
* Add x509_crl_parse_der().
* Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the length of an X.509 verification chain.
* Support for renegotiation can now be disabled at compile-time
* Support for 1/n-1 record splitting, a countermeasure against BEAST.
* Certificate selection based on signature hash, prefering SHA-1 over SHA-2 for pre-1.2 clients when multiple certificates are available.
* Add support for getrandom() syscall on recent Linux kernels with Glibc or a compatible enough libc (eg uClibc).
* Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime while using the default ciphersuite list.
* Added new error codes and debug messages about selection of ciphersuite/certificate.
* Tue Jan 20 2015 fisiuAATTopensuse.org- Add polarssl-CVE-2015-1182.patch: Remote attack using crafted certificates: fix boo#913903, CVE-2015-1182.
* Mon Nov 03 2014 fisiuAATTopensuse.org- Update to 1.3.9, detailed changes available in ChangeLog file:
* Lowest common hash was selected from signature_algorithms extension in TLS 1.2: fix boo#903672, CVE-2014-8627.
* Remotely-triggerable memory leak when parsing some X.509 certificates, CVE-2014-8628.
* Remotely-triggerable memory leak when parsing crafted ClientHello, CVE-2014-8628.
* Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x.
* Ciphersuites using RSA-PSK key exchange now require TLS 1.x.
* POLARSSL_MPI_MAX_SIZE now defaults to 1024 in order to allow 8192 bits RSA keys.
* X.509 certificates with more than one AttributeTypeAndValue per RelativeDistinguishedName are not accepted any more.- Build with POLARSSL_THREADING_PTHREAD: fix boo#903671.
* Fri Aug 15 2014 fisiuAATTopensuse.org- Update to 1.3.8, detailed changes available in ChangeLog file:
* Fix length checking for AEAD ciphersuites (found by Codenomicon). It was possible to crash the server (and client) using crafted messages when a GCM suite was chosen.
* Add CCM module and cipher mode to Cipher Layer
* Support for CCM and CCM_8 ciphersuites
* Support for parsing and verifying RSASSA-PSS signatures in the X.509 modules (certificates, CRLs and CSRs).
* Blowfish in the cipher layer now supports variable length keys.
* Add example config.h for PSK with CCM, optimized for low RAM usage.
* Optimize for RAM usage in example config.h for NSA Suite B profile.
* Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites from the default list (inactive by default).
* Add server-side enforcement of sent renegotiation requests (ssl_set_renegotiation_enforced())
* Add SSL_CIPHERSUITES config.h flag to allow specifying a list of ciphersuites to use and save some memory if the list is small.
* Sat Mar 29 2014 fisiuAATTopensuse.org- Update to 1.3.5, detailed changes available in ChangeLog file:
* Elliptic Curve Cryptography module added
* Elliptic Curve Diffie Hellman module added
* Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS (ECDHE-based ciphersuites)
* Ephemeral Elliptic Curve Digital Signature Algorithm support for SSL/TLS (ECDSA-based ciphersuites)
* Ability to specify allowed ciphersuites based on the protocol version.
* PSK and DHE-PSK based ciphersuites added
* Memory allocation abstraction layer added
* Buffer-based memory allocator added (no malloc() / free() / HEAP usage)
* Threading abstraction layer added (dummy / pthread / alternate)
* Public Key abstraction layer added
* Parsing Elliptic Curve keys
* Parsing Elliptic Curve certificates
* Support for max_fragment_length extension (RFC 6066)
* Support for truncated_hmac extension (RFC 6066)
* Support for zeros-and-length (ANSI X.923) padding, one-and-zeros (ISO/IEC 7816-4) padding and zero padding in the cipher layer
* Support for session tickets (RFC 5077)
* Certificate Request (CSR) generation with extensions (key_usage, ns_cert_type)
* X509 Certificate writing with extensions (basic_constraints, issuer_key_identifier, etc)
* Optional blinding for RSA, DHM and EC
* Support for multiple active certificate / key pairs in SSL servers for the same host (Not to be confused with SNI!)
* Wed May 15 2013 fisiuAATTopensuse.org- Update to 1.2.7:
* Ability to specify allowed ciphersuites based on the protocol version.
* Default Blowfish keysize is now 128-bits
* Test suites made smaller to accommodate Raspberry Pi
* Fix for MPI assembly for ARM
* GCM adapted to support sizes > 2^29
* Sat Mar 16 2013 fisiuAATTopensuse.org- Update to 1.2.6:
* Fixed memory leak in ssl_free() and ssl_reset()
* Corrected GCM counter incrementation to use only 32-bits instead of 128-bits
* Fixed net_bind() for specified IP addresses on little endian systems
* Fixed assembly code for ARM (Thumb and regular)
* Detailed information available in ChangeLog file.
* Fri Mar 08 2013 fisiuAATTopensuse.org- Update to 1.2.5
* Sun Jan 29 2012 jengelhAATTmedozas.de- Remove redundant tags/sections per specfile guideline suggestions
* Sat Jun 11 2011 crrodriguezAATTopensuse.org- Update to version 0.99.5
* Sun Apr 10 2011 crrodriguezAATTopensuse.org- Initial version
  
ICM