Clarify attack conditions in the ChangeLog.
Referring to the previous entry could imply that the current one was limited to SHA-384 too, which it isn't.
This commit is contained in:
parent
6a25cfae2a
commit
830ce11eba
1 changed files with 7 additions and 4 deletions
11
ChangeLog
11
ChangeLog
|
@ -19,10 +19,13 @@ Security
|
||||||
* Fix a vulnerability in TLS ciphersuites based on CBC, in (D)TLS 1.0 to
|
* Fix a vulnerability in TLS ciphersuites based on CBC, in (D)TLS 1.0 to
|
||||||
1.2, that allowed a local attacker, able to execute code on the local
|
1.2, that allowed a local attacker, able to execute code on the local
|
||||||
machine as well as manipulate network packets, to partially recover the
|
machine as well as manipulate network packets, to partially recover the
|
||||||
plaintext of messages under some conditions (see previous entry) by using
|
plaintext of messages under some conditions by using a cache attack
|
||||||
a cache attack targetting an internal MD/SHA buffer. Connections using
|
targetting an internal MD/SHA buffer. With TLS or if
|
||||||
GCM or CCM instead of CBC or using Encrypt-then-Mac (RFC 7366) were not
|
mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only worked if
|
||||||
affected. Found by Kenny Paterson, Eyal Ronen and Adi Shamir.
|
the same secret (for example a HTTP Cookie) has been repeatedly sent over
|
||||||
|
connections manipulated by the attacker. Connections using GCM or CCM
|
||||||
|
instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected.
|
||||||
|
Found by Kenny Paterson, Eyal Ronen and Adi Shamir.
|
||||||
* Add a counter-measure against a vulnerability in TLS ciphersuites based
|
* Add a counter-measure against a vulnerability in TLS ciphersuites based
|
||||||
on CBC, in (D)TLS 1.0 to 1.2, that allowed a local attacker, able to
|
on CBC, in (D)TLS 1.0 to 1.2, that allowed a local attacker, able to
|
||||||
execute code on the local machine as well as manipulate network packets,
|
execute code on the local machine as well as manipulate network packets,
|
||||||
|
|
Loading…
Reference in a new issue