Revised and clarified ChangeLog
Minor changes to fix language, merge mistakes and incorrect classifications of
changes.
diff --git a/ChangeLog b/ChangeLog
index c269742..7575fd3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,9 +3,6 @@
= mbed TLS x.x.x branch released xxxx-xx-xx
Security
- * Fix a potential memory leak in mbedtls_ssl_setup( ) function. An allocation
- failure could leave an unreleased buffer. A handshake init failure would
- lead to leaving two unreleased buffers.
* Fix an issue in the X.509 module which could lead to a buffer overread
during certificate extensions parsing. In case of receiving malformed
input (extensions length field equal to 0), an illegal read of one byte
@@ -31,6 +28,8 @@
the use of datagram packing (enabled by default).
Bugfix
+ * Fix a potential memory leak in mbedtls_ssl_setup() function. An allocation
+ failure in the function could lead to other buffers being leaked.
* Fixes an issue with MBEDTLS_CHACHAPOLY_C which would not compile if
MBEDTLS_ARC4_C and MBEDTLS_CIPHER_NULL_CIPHER weren't also defined. #1890
* Fix a memory leak in ecp_mul_comb() if ecp_precompute_comb() fails.
@@ -38,7 +37,8 @@
* Add ecc extensions only if an ecc based ciphersuite is used.
This improves compliance to RFC 4492, and as a result, solves
interoperability issues with BouncyCastle. Raised by milenamil in #1157.
- * Replace printf with mbedtls_printf in aria. Found by TrinityTonic in #1908.
+ * Replace printf with mbedtls_printf in the ARIA module. Found by
+ TrinityTonic in #1908.
* Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
and mbedtls_ssl_get_record_expansion() after a session reset. Fixes #1941.
* Fix a bug that caused SSL/TLS clients to incorrectly abort the handshake
@@ -54,11 +54,11 @@
* Fix overly strict bounds check in ssl_parse_certificate_request()
which could lead to valid CertificateRequest messages being rejected.
Fixes #1954.
+ * Fix undefined shifts with negative values in certificates parsing
+ (found by Catena cyber using oss-fuzz)
* Fix memory leak and free without initialization in pk_encrypt
and pk_decrypt example programs. Reported by Brace Stout. Fixes #1128.
- * Remove redundant else statement, which is not readable, and the positive
- path in the if statement results in exiting the funciton. Raised by irwir
- in #1776.
+ * Remove redundant else statement. Raised by irwir. Fixes #1776.
Changes
* Copy headers preserving timestamps when doing a "make install".
@@ -67,15 +67,7 @@
Drozd. Fixes #1215 raised by randombit.
* Improve compatibility with some alternative CCM implementations by using
CCM test vectors from RAM.
- * Fix a miscalculation of the maximum record expansion in
- mbedtls_ssl_get_record_expansion() in case of ChachaPoly ciphersuites,
- or CBC ciphersuites in (D)TLS versions 1.1 or higher. Fixes #1913, #1914.
* Add support for buffering of out-of-order handshake messages.
-
-INTERNAL NOTE: need to bump soversion of libmbedtls:
-- added new member 'mtu' to public 'mbedtls_ssl_conf' structure
-
-Changes
* Add warnings to the documentation of the HKDF module to reduce the risk
of misusing the mbedtls_hkdf_extract() and mbedtls_hkdf_expand()
functions. Fixes #1775. Reported by Brian J. Murray.
@@ -228,8 +220,6 @@
Bugfix
* Fix an issue with MicroBlaze support in bn_mul.h which was causing the
build to fail. Found by zv-io. Fixes #1651.
- * Fix undefined shifts with negative values in certificates parsing
- (found by Catena cyber using oss-fuzz)
Changes
* Support TLS testing in out-of-source builds using cmake. Fixes #1193.