diff --git a/ChangeLog b/ChangeLog index 4f90d560b..5d2e8db18 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,13 @@ Security RSA decryption (i.e. ciphersuites whose name contains RSA but not (EC)DH(E)). Reported by Eyal Ronen, Robert Gillham, Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom. CVE-2018-19608 + * In mbedtls_mpi_write_binary(), don't leak the exact size of the number + via branching and memory access patterns. An attacker who could submit + a plaintext for RSA PKCS#1 v1.5 decryption but only observe the timing + of the decryption and not its result could nonetheless decrypt RSA + plaintexts and forge RSA signatures. Other asymmetric algorithms may + have been similarly vulnerable. Reported by Eyal Ronen, Robert Gillham, + Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom. = mbed TLS 2.13.1 branch released 2018-09-06