Update for 1.11.24 release1.11.24

author: Jack Lloyd <[email protected]> 2015-11-04 14:34:27 -0500
committer: Jack Lloyd <[email protected]> 2015-11-04 14:34:27 -0500
commit: cb4ab0662dfbe462dbe578ffa7d6f44effa51d82 (patch)
tree: 427d8a89131fc4ef6413e663016ecc4689a1e640 /doc
parent: 7049b8e541b032e42ab0b4007a344bd14918bdcc (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/doc/security.rst b/doc/security.rst
index 192571829..84d8d49d8 100644
--- a/doc/security.rst
+++ b/doc/security.rst
@@ -19,6 +19,17 @@ Advisories
 2015
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
+* 2015-11-04: TLS certificate authentication bypass
+
+  When the bugs affecting X.509 path validation were fixed in 1.11.22, a check
+  in Credentials_Manager::verify_certificate_chain was accidentally removed
+  which caused path validation failures not to be signaled to the TLS layer.  So
+  for affected versions, certificate authentication in TLS is bypassed. As a
+  workaround, applications can override the call and implement the correct
+  check. Reported by Florent Le Coz in GH #324
+
+  Introduced in 1.11.22, fixed in 1.11.24
+
 * 2015-10-26 (CVE-2015-7824): Padding oracle attack on TLS
 
   A padding oracle attack was possible against TLS CBC ciphersuites because if a
author	Jack Lloyd <[email protected]>	2015-11-04 14:34:27 -0500
committer	Jack Lloyd <[email protected]>	2015-11-04 14:34:27 -0500
commit	cb4ab0662dfbe462dbe578ffa7d6f44effa51d82 (patch)
tree	427d8a89131fc4ef6413e663016ecc4689a1e640 /doc
parent	7049b8e541b032e42ab0b4007a344bd14918bdcc (diff)