aboutsummaryrefslogtreecommitdiffstats
path: root/news.rst
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2017-04-04 16:51:19 -0400
committerJack Lloyd <[email protected]>2017-04-04 16:51:19 -0400
commitd6b0920dc9732471e6831657ee372997b71bbc27 (patch)
tree2ac2b70b286dd22d451dd156b7d8b9462e6ee948 /news.rst
parentcbd9952859c90845f1b6c578b8487e51105f042e (diff)
More news updates
Diffstat (limited to 'news.rst')
-rw-r--r--news.rst13
1 files changed, 11 insertions, 2 deletions
diff --git a/news.rst b/news.rst
index e088c4bff..063a72a6e 100644
--- a/news.rst
+++ b/news.rst
@@ -8,6 +8,11 @@ Version 2.1.0, Not Yet Released
characters were truncated at 56 characters. Found and reported by Solar Designer.
(CVE-2017-7252) (GH #938)
+* Fix a bug in X509 DN string comparisons that could result in out of bound
+ reads. This could result in information leakage, denial of service, or
+ potentially incorrect certificate validation results. Found independently
+ by Cisco Talos team and OSS-Fuzz. (CVE-2017-2801)
+
* Correct minimum work factor for Bcrypt password hashes. All other
implementations require the work factor be at least 4. Previously Botan simply
required it be greater than zero. (GH #938)
@@ -16,12 +21,16 @@ Version 2.1.0, Not Yet Released
Uses Montgomery ladder with order/2 bits scalar blinding and point randomization
now by default. (GH #893)
+* Add ability to search for certificates using the SHA-256 of the distinguished name.
+ (GH #900)
+
* Support a 0-length IV in ChaCha stream cipher. Such an IV is treated
identically to an 8-byte IV of all zeros.
* Add new interfaces to the C API including multiple precision integers, key
- validity tests, extracting algorithm specific key paramters (eg the modulus
- and public exponent from RSA public keys). GH #899 #944 #946 #961 #964
+ validity tests, block ciphers, and extracting algorithm specific key paramters
+ (such as the modulus and public exponent from RSA public keys). GH #899 #944
+ #946 #961 #964
* The PKCS11 module did not require any external dependencies, so it
has been enabled by default. The ``-with-pkcs11`` and ``--without-pkcs11``