Mbed TLS 2.7.14
yanesca
released this
25 Feb 18:42
·
24788 commits
to development
since this release
Description
Mbed TLS 2.7.14 is a maintenance release of the Mbed TLS 2.7 branch, and provides bug fixes and minor enhancements. This release brings fixes for a security issue, as described in more detail in our security advisory.
Security
- To avoid a side channel vulnerability when parsing an RSA private key, read all the CRT parameters from the DER structure rather than reconstructing them. Found by Alejandro Cabrera Aldaya and Billy Bob Brumley. Reported and fix contributed by Jack Lloyd. ARMmbed/mbed-crypto#352
Bugfix
- Fix an unchecked call to mbedtls_md() in the x509write module.
- Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some RSA keys that would later be rejected by functions expecting private keys. Found by Catena cyber using oss-fuzz (issue 20467).
- Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some RSA keys with invalid values by silently fixing those values.
Who should update
We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.