aboutsummaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
Diffstat (limited to 'doc')
-rw-r--r--doc/news.rst14
-rw-r--r--doc/security.rst8
2 files changed, 18 insertions, 4 deletions
diff --git a/doc/news.rst b/doc/news.rst
index 2effcf0fd..b2757a2a8 100644
--- a/doc/news.rst
+++ b/doc/news.rst
@@ -1,9 +1,21 @@
Release Notes
========================================
-Version 1.11.27, Not Yet Released
+Version 1.11.27, 2016-02-01
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+* SECURITY: Avoid heap overflow in ECC point decoding. This could
+ likely result in remote code execution. CVE-2016-2195
+
+* SECURITY: Avoid one word heap overflow in P-521 reduction function.
+ This could potentially lead to remote code execution or other
+ attack. CVE-2016-2196.
+
+* SECURITY: Avoid infinite or near-infinite loop during modular square
+ root algorithm with invalid inputs. CVE-2016-2194
+
+* Add Blake2b hash function. GH #413
+
* Use m_ prefix on all member variables. GH #398 and #407
* Use final qualifier on many classes. GH #408
diff --git a/doc/security.rst b/doc/security.rst
index 2552d6751..4f18381d6 100644
--- a/doc/security.rst
+++ b/doc/security.rst
@@ -19,12 +19,14 @@ Advisories
2016
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-* 2016-06-01 (CVE-2016-2196): Overwrite in P-521 reduction
+* 2016-02-01 (CVE-2016-2196): Overwrite in P-521 reduction
The P-521 reduction function would overwrite zero to one word
following the allocated block. This could potentially result
in remote code execution or a crash. Found with AFL
+ Introduced in 1.11.10, fixed in 1.11.27
+
* 2016-02-01 (CVE-2016-2195): Heap overflow on invalid ECC point
The PointGFp constructor did not check that the affine coordinate
@@ -49,7 +51,7 @@ Advisories
Found by Alex Gaynor fuzzing with AFL
- Versions affected: all before 1.11.27 and 1.10.11
+ Introduced in 1.9.18, fixed in 1.11.27 and 1.10.11
* 2016-02-01 (CVE-2016-2194): Infinite loop in modulur square root algorithm
@@ -60,7 +62,7 @@ Advisories
This function is exposed to attacker controlled input via the OS2ECP
function during ECC point decompression. Found by AFL
- Versions affected: all before 1.11.27 and 1.10.11
+ Introduced in 1.7.15, fixed in 1.11.27 and 1.10.11
2015
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^