Skip to content

Mbed TLS 2.7.15
Compare
Choose a tag to compare
@danh-arm danh-arm released this 14 Apr 15:48
mbedtls-2.7.15
21522a4
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Description

Mbed TLS 2.7.15 is a maintenance release of the Mbed TLS 2.7 branch, and provides bug fixes and minor enhancements. This release includes fixes for security issues and the most severe one is described in more detail in a security advisory.

Security

  • Fix side channel in ECC code that allowed an adversary with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) to fully recover an ECDSA private key. Found and reported by Alejandro Cabrera Aldaya, Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
  • Fix a potentially remotely exploitable buffer overread in a DTLS client when parsing the Hello Verify Request message.
  • Fix bug in DTLS handling of new associations with the same parameters (RFC 6347 section 4.2.8): after sending its HelloVerifyRequest, the server would end up with corrupted state and only send invalid records to the client. An attacker able to send forged UDP packets to the server could use that to obtain a Denial of Service. This could only happen when MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE was enabled in config.h (which it is by default).

Bugfix

  • Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and MBEDTLS_SSL_HW_RECORD_ACCEL are enabled.
  • Fix a function name in a debug message. Contributed by Ercan Ozturk in #3013.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Assets 2