aboutsummaryrefslogtreecommitdiffstats
path: root/doc/security.rst
Commit message (Collapse)AuthorAgeFilesLines
* Correct affected version range for CVE-2018-20187Jack Lloyd2018-12-191-1/+1
| | | | | | Using the Montgomery ladder for operator* was introduced in ca155a7e54, previous versions did something different, which was itself vulnerable to side channels, but not with the same issue as CVE-2018-20187.
* Avoid using unblinded Montgomery ladder during ECC key generationJack Lloyd2018-12-181-0/+9
| | | | | | | | | | | As doing so means that information about the high bits of the scalar can leak via timing since the loop bound depends on the length of the scalar. An attacker who has such information can perform a more efficient brute force attack (using Pollard's rho) than would be possible otherwise. Found by Ján Jančár (@J08nY) using ECTester (https://github.com/crocs-muni/ECTester) CVE-2018-20187
* Use Botan specific CVE for ECDSA side channel [ci skip]Jack Lloyd2018-06-151-3/+2
|
* Address DSA/ECDSA side channelJack Lloyd2018-06-131-0/+8
|
* Add security advisoryJack Lloyd2018-04-101-0/+11
|
* Fix quotingJack Lloyd2018-04-031-2/+2
|
* Fix bugs in wildcard matchingJack Lloyd2018-03-311-0/+13
| | | | | | | We would incorrectly accept invalid matches for example b*.example.net could match foobar.example.net Introduced in 289cc25709b08
* Update newsJack Lloyd2017-09-281-0/+11
|
* Fix failure to fully zero memory before freeJack Lloyd2017-07-161-0/+13
| | | | | | Introduced in 455bd2557cbb1343e59eefd97cb449f06a702c28 Found and reported by Roman Pozlevich
* Fix X509 DN comparisonsJack Lloyd2017-04-041-1/+12
| | | | CVE-2017-2801
* Note that bcrypt bug was introduced in 1.11.0Jack Lloyd2017-03-281-2/+4
| | | | | | | | | Specifically 9644a3ecebb15. So 1.10 was not affected, as it instead throws an exception for passwords longer than 56 chars, which is incompatible with other bcrypt APIs but does not introduce any security problems. [ci skip]
* Add relnotes and CVEJack Lloyd2017-03-241-1/+1
|
* Fix incorrect password truncation in bcrypt password hashing.Jack Lloyd2017-03-241-0/+11
| | | | | | | | | | The 56 char bound is bogus; Blowfish itself allows at most 448 bits in the key schedule, but Bcrypt's modification allows up to 72 chars for the password. Bug pointed out by Solar Designer. Also reject work factors 0...3 since all other extant bcrypt implementations require at least work factor 4. Adds more bcrypt tests generated by crypt_bcrypt and OpenBSD's version.
* Switch to readthedocs Sphinx themeJack Lloyd2017-01-071-5/+2
| | | | | | | Move some text and change some headers to look better with how rtd theme formats the table of contents. GH #822
* Note range of versions affected by CVE-2016-9132Jack Lloyd2016-11-281-0/+2
| | | | [ci skip]
* Update newsJack Lloyd2016-11-281-1/+1
|
* Check for overflow in BER decoder EOC scanningJack Lloyd2016-11-271-1/+10
|
* Fix Sphinx formatting errorsJack Lloyd2016-11-061-3/+5
| | | | [ci skip]
* Fix ReST formatting [ci skip]Jack Lloyd2016-10-261-1/+1
|
* Final changes for 1.11.33 release1.11.33Jack Lloyd2016-10-261-0/+14
|
* Update my email address and PGP keysJack Lloyd2016-10-251-2/+2
| | | | | | | [email protected] is still a valid email address for me but I am using [email protected] going forward. [ci skip]
* Update for 1.11.31 release1.11.31Jack Lloyd2016-08-301-0/+18
|
* Doc updatesJack Lloyd2016-04-281-2/+2
| | | | [ci skip]
* Release 1.11.291.11.29Jack Lloyd2016-03-201-2/+25
|
* Update news for 1.11.27 release1.11.27Jack Lloyd2016-02-011-3/+5
|
* Fix heap overflow in ECC point multiplicationJack Lloyd2016-02-011-1/+34
| | | | | | | | | | | | | | If affine coordinates larger than the prime modulus were given, a later multiplication could overflow the size of an allocated output buffer, which was sized based on the size of the prime. This will cause an overflow into either the system heap or if the mlock/mmap pool allocator is in use, then into the adjacent key material stored in the pool. Reported by Alex Gaynor who found it with AFL Also fix a one word overwrite in P-521 reduction. Found with AFL
* Fix (nearly) infinite loop in RESSOL (modular square root).Jack Lloyd2016-02-011-0/+13
| | | | | | | It first computed the first i for q**(2**i) == 1, then checked that i was smaller than s. Given a composite modulus (for which the algorithm does not work), the loop might do a very large amount of work before returning the failure.
* Update for 1.11.24 release1.11.24Jack Lloyd2015-11-041-0/+11
|
* 1.11.22 release1.11.22Jack Lloyd2015-10-261-4/+63
|
* Add security notifications/advisory page to website.Jack Lloyd2015-10-151-0/+51
Based on GH #272
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-27 10:18:16 +0000