diff options
author | Jack Lloyd <[email protected]> | 2015-11-04 14:34:27 -0500 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2015-11-04 14:34:27 -0500 |
commit | cb4ab0662dfbe462dbe578ffa7d6f44effa51d82 (patch) | |
tree | 427d8a89131fc4ef6413e663016ecc4689a1e640 /doc/security.rst | |
parent | 7049b8e541b032e42ab0b4007a344bd14918bdcc (diff) |
Update for 1.11.24 release1.11.24
Diffstat (limited to 'doc/security.rst')
-rw-r--r-- | doc/security.rst | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/doc/security.rst b/doc/security.rst index 192571829..84d8d49d8 100644 --- a/doc/security.rst +++ b/doc/security.rst @@ -19,6 +19,17 @@ Advisories 2015 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +* 2015-11-04: TLS certificate authentication bypass + + When the bugs affecting X.509 path validation were fixed in 1.11.22, a check + in Credentials_Manager::verify_certificate_chain was accidentally removed + which caused path validation failures not to be signaled to the TLS layer. So + for affected versions, certificate authentication in TLS is bypassed. As a + workaround, applications can override the call and implement the correct + check. Reported by Florent Le Coz in GH #324 + + Introduced in 1.11.22, fixed in 1.11.24 + * 2015-10-26 (CVE-2015-7824): Padding oracle attack on TLS A padding oracle attack was possible against TLS CBC ciphersuites because if a |