diff options
Diffstat (limited to 'doc')
-rw-r--r-- | doc/news.rst | 14 | ||||
-rw-r--r-- | doc/security.rst | 8 |
2 files changed, 18 insertions, 4 deletions
diff --git a/doc/news.rst b/doc/news.rst index 2effcf0fd..b2757a2a8 100644 --- a/doc/news.rst +++ b/doc/news.rst @@ -1,9 +1,21 @@ Release Notes ======================================== -Version 1.11.27, Not Yet Released +Version 1.11.27, 2016-02-01 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +* SECURITY: Avoid heap overflow in ECC point decoding. This could + likely result in remote code execution. CVE-2016-2195 + +* SECURITY: Avoid one word heap overflow in P-521 reduction function. + This could potentially lead to remote code execution or other + attack. CVE-2016-2196. + +* SECURITY: Avoid infinite or near-infinite loop during modular square + root algorithm with invalid inputs. CVE-2016-2194 + +* Add Blake2b hash function. GH #413 + * Use m_ prefix on all member variables. GH #398 and #407 * Use final qualifier on many classes. GH #408 diff --git a/doc/security.rst b/doc/security.rst index 2552d6751..4f18381d6 100644 --- a/doc/security.rst +++ b/doc/security.rst @@ -19,12 +19,14 @@ Advisories 2016 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -* 2016-06-01 (CVE-2016-2196): Overwrite in P-521 reduction +* 2016-02-01 (CVE-2016-2196): Overwrite in P-521 reduction The P-521 reduction function would overwrite zero to one word following the allocated block. This could potentially result in remote code execution or a crash. Found with AFL + Introduced in 1.11.10, fixed in 1.11.27 + * 2016-02-01 (CVE-2016-2195): Heap overflow on invalid ECC point The PointGFp constructor did not check that the affine coordinate @@ -49,7 +51,7 @@ Advisories Found by Alex Gaynor fuzzing with AFL - Versions affected: all before 1.11.27 and 1.10.11 + Introduced in 1.9.18, fixed in 1.11.27 and 1.10.11 * 2016-02-01 (CVE-2016-2194): Infinite loop in modulur square root algorithm @@ -60,7 +62,7 @@ Advisories This function is exposed to attacker controlled input via the OS2ECP function during ECC point decompression. Found by AFL - Versions affected: all before 1.11.27 and 1.10.11 + Introduced in 1.7.15, fixed in 1.11.27 and 1.10.11 2015 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |