aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--doc/security.rst11
-rw-r--r--readme.rst11
2 files changed, 18 insertions, 4 deletions
diff --git a/doc/security.rst b/doc/security.rst
index 192571829..84d8d49d8 100644
--- a/doc/security.rst
+++ b/doc/security.rst
@@ -19,6 +19,17 @@ Advisories
2015
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+* 2015-11-04: TLS certificate authentication bypass
+
+ When the bugs affecting X.509 path validation were fixed in 1.11.22, a check
+ in Credentials_Manager::verify_certificate_chain was accidentally removed
+ which caused path validation failures not to be signaled to the TLS layer. So
+ for affected versions, certificate authentication in TLS is bypassed. As a
+ workaround, applications can override the call and implement the correct
+ check. Reported by Florent Le Coz in GH #324
+
+ Introduced in 1.11.22, fixed in 1.11.24
+
* 2015-10-26 (CVE-2015-7824): Padding oracle attack on TLS
A padding oracle attack was possible against TLS CBC ciphersuites because if a
diff --git a/readme.rst b/readme.rst
index cf0e93acc..1a0ec1e4a 100644
--- a/readme.rst
+++ b/readme.rst
@@ -36,7 +36,10 @@ inclusion into external build systems.
If you need help or have questions, send a mail to the
`mailing list <http://lists.randombit.net/mailman/listinfo/botan-devel/>`_
or open a ticket on
-`GitHub Issues <https://github.com/randombit/botan/issues>`_.
+`GitHub Issues <https://github.com/randombit/botan/issues>`_. If you
+think you've found a security bug, read the
+`security page <http://botan.randombit.net/security.html>`_
+for contact information and procedures.
The `GitHub wiki <https://github.com/randombit/botan/wiki>`_
and `Doxygen docs <https://botan.randombit.net/doxygen>`_
@@ -103,9 +106,9 @@ later, Clang 3.4 and later, and MSVC 2013 are regularly tested.
A new development release is made on the first Monday of every month.
The latest development release is
-`1.11.23 <http://botan.randombit.net/releases/Botan-1.11.23.tgz>`_
-`(sig) <http://botan.randombit.net/releases/Botan-1.11.23.tgz.asc>`_
-released on 2015-10-26
+`1.11.24 <http://botan.randombit.net/releases/Botan-1.11.24.tgz>`_
+`(sig) <http://botan.randombit.net/releases/Botan-1.11.24.tgz.asc>`_
+released on 2015-11-04
Old Stable Series (1.10)
----------------------------------------