diff options
-rw-r--r-- | doc/security.rst | 11 | ||||
-rw-r--r-- | readme.rst | 11 |
2 files changed, 18 insertions, 4 deletions
diff --git a/doc/security.rst b/doc/security.rst index 192571829..84d8d49d8 100644 --- a/doc/security.rst +++ b/doc/security.rst @@ -19,6 +19,17 @@ Advisories 2015 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +* 2015-11-04: TLS certificate authentication bypass + + When the bugs affecting X.509 path validation were fixed in 1.11.22, a check + in Credentials_Manager::verify_certificate_chain was accidentally removed + which caused path validation failures not to be signaled to the TLS layer. So + for affected versions, certificate authentication in TLS is bypassed. As a + workaround, applications can override the call and implement the correct + check. Reported by Florent Le Coz in GH #324 + + Introduced in 1.11.22, fixed in 1.11.24 + * 2015-10-26 (CVE-2015-7824): Padding oracle attack on TLS A padding oracle attack was possible against TLS CBC ciphersuites because if a diff --git a/readme.rst b/readme.rst index cf0e93acc..1a0ec1e4a 100644 --- a/readme.rst +++ b/readme.rst @@ -36,7 +36,10 @@ inclusion into external build systems. If you need help or have questions, send a mail to the `mailing list <http://lists.randombit.net/mailman/listinfo/botan-devel/>`_ or open a ticket on -`GitHub Issues <https://github.com/randombit/botan/issues>`_. +`GitHub Issues <https://github.com/randombit/botan/issues>`_. If you +think you've found a security bug, read the +`security page <http://botan.randombit.net/security.html>`_ +for contact information and procedures. The `GitHub wiki <https://github.com/randombit/botan/wiki>`_ and `Doxygen docs <https://botan.randombit.net/doxygen>`_ @@ -103,9 +106,9 @@ later, Clang 3.4 and later, and MSVC 2013 are regularly tested. A new development release is made on the first Monday of every month. The latest development release is -`1.11.23 <http://botan.randombit.net/releases/Botan-1.11.23.tgz>`_ -`(sig) <http://botan.randombit.net/releases/Botan-1.11.23.tgz.asc>`_ -released on 2015-10-26 +`1.11.24 <http://botan.randombit.net/releases/Botan-1.11.24.tgz>`_ +`(sig) <http://botan.randombit.net/releases/Botan-1.11.24.tgz.asc>`_ +released on 2015-11-04 Old Stable Series (1.10) ---------------------------------------- |