Path to this page:
Subject: CVS commit: pkgsrc/security/mbedtls1
From: Filip Hajny
Date: 2016-09-15 12:48:01
Message id: 20160915104801.CE0A8FBD1@cvs.NetBSD.org
Log Message:
Update security/mbedtls1 to 1.3.17
Security
- Fixed missing padding length check required by PKCS1 v2.2 in
mbedtls_rsa_rsaes_pkcs1_v15_decrypt(). (considered low impact)
- Fixed potential integer overflow to buffer overflow in
mbedtls_rsa_rsaes_pkcs1_v15_encrypt() and
mbedtls_rsa_rsaes_oaep_encrypt(). (not triggerable remotely in
(D)TLS).
- Fixed potential integer underflow to buffer overread in
mbedtls_rsa_rsaes_oaep_decrypt(). It is not triggerable remotely
in SSL/TLS.
Bugfix
- Fixed bug in mbedtls_mpi_add_mpi() that caused wrong results
when the three arguments were the same (in-place doubling). #309
- Fixed issue in Makefile that prevented building using armar.
#386
- Fixed issue that caused a hang when generating RSA keys of odd
bitlength.
- Fixed bug in mbedtls_rsa_rsaes_pkcs1_v15_encrypt() that made
null pointer dereference possible.
- Fixed issue that caused a crash if invalid curves were passed to
mbedtls_ssl_conf_curves(). #373
Changes
- On ARM platforms, when compiling with -O0 with GCC, Clang or
armcc5, don't use the optimized assembly for bignum
multiplication. This removes the need to pass -fomit-frame-pointer
to avoid a build error with -O0.
- Disabled SSLv3 in the default configuration.
Files: