TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / c48b66bfb6efd3bdd2deab7f1cb6523da55402de^! / .
commitc48b66bfb6efd3bdd2deab7f1cb6523da55402de[log] [tgz]
authorSimon Butcher <simon.butcher@arm.com>Mon Oct 05 10:18:17 2015 +0100
committerSimon Butcher <simon.butcher@arm.com>Mon Oct 05 10:18:17 2015 +0100
tree6e2065beb84214f7274ffd521c119336ef527f8c
parent6418ffaadb1ed698b5bb89ca6cf9abe6aeae4b4a [diff]
Changed attribution for Guido Vranken

diff --git a/ChangeLog b/ChangeLog
index c527e06..ca2e717 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -4,22 +4,27 @@
 
 Security
    * Added fix for CVE-2015-xxxxx to prevent heap corruption due to buffer
-     overflow of the hostname or session ticket. Found by Guido Vranken.
+     overflow of the hostname or session ticket. Found by Guido Vranken,
+     Intelworks.
    * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
      once in the same handhake and mbedtls_ssl_conf_psk() was used.
-     Found and patch provided by Guido Vranken. Cannot be forced remotely.
+     Found and patch provided by Guido Vranken, Intelworks. Cannot be forced
+     remotely.
    * Fix stack buffer overflow in pkcs12 decryption (used by
      mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
-     Found by Guido Vranken. Not triggerable remotely.
+     Found by Guido Vranken, Intelworks. Not triggerable remotely.
    * Fix potential buffer overflow in mbedtls_mpi_read_string().
-     Found by Guido Vranken. Not exploitable remotely in the context of TLS,
-     but might be in other uses. On 32 bit machines, requires reading a string
-     of close to or larger than 1GB to exploit; on 64 bit machines, would require
-     reading a string of close to or larger than 2^62 bytes.
+     Found by Guido Vranken, Intelworks. Not exploitable remotely in the context
+     of TLS, but might be in other uses. On 32 bit machines, requires reading a
+     string of close to or larger than 1GB to exploit; on 64 bit machines, would
+     require reading a string of close to or larger than 2^62 bytes.
    * Fix potential random memory allocation in mbedtls_pem_read_buffer()
-     on crafted PEM input data. Found an fix provided by Guid Vranken.
-     Not triggerable remotely in TLS. Triggerable remotely if you accept PEM
-     data from an untrusted source.
+     on crafted PEM input data. Found and fix provided by Guido Vranken,
+     Intelworks. Not triggerable remotely in TLS. Triggerable remotely if you
+     accept PEM data from an untrusted source.
+   * Fix possible heap buffer overflow in base64_encoded() when the input
+     buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
+     Intelworks. Not trigerrable remotely in TLS.
 
 Changes
    * Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure
@@ -30,13 +35,6 @@
 = mbed TLS 2.1.1 released 2015-09-17
 
 Security
-   * Fix possible heap buffer overflow in base64_encoded() when the input
-     buffer is 512MB or larger on 32-bit platforms.
-     Found by Guido Vranken. Not trigerrable remotely in TLS.
-
-= mbed TLS 2.1.1 released 2015-09-17
-
-Security
    * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
      signatures. (Found by Florian Weimer, Red Hat.)
      https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/