All Versions
80
Latest Version
Avg Release Cycle
46 days
Latest Release
1358 days ago

Changelog History
Page 2

  • v2.19.1

    September 18, 2019
  • v2.19.0

    September 06, 2019
  • v2.19.0.d2

    September 06, 2019
  • v2.19.0.d1

    September 06, 2019
  • v2.18.1

    July 12, 2019
  • v2.18.0

    June 18, 2019
  • v2.17.0

    March 19, 2019
  • v2.16.8 Changes

    September 01, 2020

    Description

    ๐Ÿš€ This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues and the most notable of them are described in more detail in the security advisories.

    ๐Ÿ”‹ Features

    • Support building on e2k (Elbrus) architecture: correctly enable -Wformat-signedness, and fix the code that causes signed-one-bit-field and sign-compare warnings. Contributed by makise-homura (Igor Molchanov) [email protected].

    ๐Ÿ”’ Security

    • When checking X.509 CRLs, a certificate was only considered as revoked if its revocationDate was in the past according to the local clock if available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE, certificates were never considered as revoked. On builds with MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for example, an untrusted OS attacking a secure enclave) could prevent revocation of certificates via CRLs. Fixed by no longer checking the revocationDate field, in accordance with RFC 5280. Reported by yuemonangong in #3340. Reported independently and fixed by Raoul Strackx and Jethro Beekman in #3433.
    • ๐Ÿ›  In (D)TLS record decryption, when using a CBC ciphersuites without the Encrypt-then-Mac extension, use constant code flow memory access patterns to extract and check the MAC. This is an improvement to the existing countermeasure against Lucky 13 attacks. The previous countermeasure was effective against network-based attackers, but less so against local attackers. The new countermeasure defends against local attackers, even if they have access to fine-grained measurements. In particular, this fixes a local Lucky 13 cache attack found and reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler (University of Florida) and Dave Tian (Purdue University).
    • ๐Ÿ›  Fix side channel in RSA private key operations and static (finite-field) Diffie-Hellman. An adversary with precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could bypass an existing counter-measure (base blinding) and potentially fully recover the private key.
    • Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der(). Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine for pinpointing the problematic code.
    • Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused application data from memory. Reported in #689 by Johan Uppman Bruce of Sectra.

    ๐Ÿ›  Bugfix

    • Avoid use of statically sized stack buffers for certificate writing. This previously limited the maximum size of DER encoded certificates in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631.
    • Reduce the stack consumption of mbedtls_x509write_csr_der() which previously could lead to stack overflow on constrained devices. Contributed by Doru Gucea and Simon Leet in #3464.
    • ๐Ÿ‘‰ Use arc4random_buf on NetBSD instead of rand implementation with cyclical lower bits. Fix contributed in #3540.
    • Fix building library/net_sockets.c and the ssl_mail_client program on NetBSD. NetBSD conditionals were added for the backport to avoid the risk of breaking a platform. Original fix contributed by Nia Alarie in #3422. Adapted for long-term support branch 2.16 in #3558.
    • ๐Ÿ›  Fix bug in redirection of unit test outputs on platforms where stdout is defined as a macro. First reported in #2311 and fix contributed in #3528. Adopted for LTS branch 2.16 in #3601.

    ๐Ÿ”„ Changes

    • โšก๏ธ Update copyright notices to use Linux Foundation guidance. As a result, the copyright of contributors other than Arm is now acknowledged, and the years of publishing are no longer tracked in the source files. This also eliminates the need for the lines declaring the files to be part of MbedTLS. Fixes #3457.

    โšก๏ธ Who should update

    ๐Ÿš€ We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

    Checksum

    The SHA256 hashes for the archives are:

    fe9e3b15c3375943bdfebbbb20dd6b4f1147b3b5d926248bd835d73247407430 mbedtls-2.16.8.tar.gz
    a2904aa4f8b23a3e3972f87ff1c7e450a128c38d00ac28ad183296607fe2d9d6 mbedtls-2.16.8.zip
    
  • v2.16.7 Changes

    July 01, 2020

    Description

    ๐Ÿš€ Mbed TLS 2.16.7 is a maintenance release of the Mbed TLS 2.16 branch, and provides bug fixes and minor enhancements. This release includes fixes for security issues and the most severe one is described in more detail in a security advisory.

    ๐Ÿ”’ Security

    • ๐Ÿ›  Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul Strackx (Fortanix) in #3394.
    • Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
    • Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). This would cause the original Lucky 13 attack to be possible in those configurations, allowing an active network attacker to recover plaintext after repeated timing measurements under some conditions. Reported and fix suggested by Luc Perneel in #3246.

    ๐Ÿ›  Bugfix

    • ๐Ÿ›  Fix the Visual Studio Release x64 build configuration for mbedtls itself. Completes a previous fix in Mbed TLS 2.16.3 that only fixed the build for the example programs. Reported in #1430 and fix contributed by irwir.
    • ๐Ÿ›  Fix undefined behavior in X.509 certificate parsing if the pathLenConstraint basic constraint value is equal to INT_MAX. The actual effect with almost every compiler is the intended behavior, so this is unlikely to be exploitable anywhere. #3197
    • ๐Ÿ›  Include asn1.h in error.c. Fixes #3328 reported by David Hu.
    • Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz() when PRNG function fails. Contributed by Jonas Lejeune in #3318.
    • Add additional bounds checks in ssl_write_client_hello() preventing output buffer overflow if the configuration declared a buffer that was too small.

    ๐Ÿ”„ Changes

    • Unify the example programs termination to call mbedtls_exit() instead of using a return command. This has been done to enable customization of the behavior in bare metal environments.
    • Abort the ClientHello writing function as soon as some extension doesn't fit into the record buffer. Previously, such extensions were silently dropped. As a consequence, the TLS handshake now fails when the output buffer is not large enough to hold the ClientHello.
    • The ECP module, enabled by MBEDTLS_ECP_C, now depends on MBEDTLS_CTR_DRBG_C, MBEDTLS_HMAC_DRBG_C, MBEDTLS_SHA512_C or MBEDTLS_SHA256_C for some side-channel coutermeasures. If side channels are not a concern, this dependency can be avoided by enabling the new option MBEDTLS_ECP_NO_INTERNAL_RNG.

    โšก๏ธ Who should update

    ๐Ÿš€ We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

    Checksum

    The SHA256 hashes for the archives are:

    c95b11557ee97d2bdfd48cd57cf9b648a6cddd2ca879e3c35c4e7525f2871992 mbedtls-2.16.7.tar.gz
    6ee853f8dbbe662b7647b454c9635ed7f2b3c78293e064c1be74c7cfd97d080b mbedtls-2.16.7.zip
    
  • v2.16.6 Changes

    April 14, 2020

    Description

    ๐Ÿš€ Mbed TLS 2.16.6 is a maintenance release of the Mbed TLS 2.16 branch, and provides bug fixes and minor enhancements. This release includes fixes for security issues and the most severe one is described in more detail in a security advisory.

    ๐Ÿ”’ Security

    • ๐Ÿ›  Fix side channel in ECC code that allowed an adversary with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) to fully recover an ECDSA private key. Found and reported by Alejandro Cabrera Aldaya, Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
    • ๐Ÿ›  Fix a potentially remotely exploitable buffer overread in a DTLS client when parsing the Hello Verify Request message.

    ๐Ÿ›  Bugfix

    • Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and MBEDTLS_SSL_HW_RECORD_ACCEL are enabled.
    • ๐Ÿ›  Fix a function name in a debug message. Contributed by Ercan Ozturk in #3013.

    โšก๏ธ Who should update

    ๐Ÿš€ We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.