mbed TLS 2.1.1,mbed TLS 1.3.13 和 PolarSSL 1.2.16 发布,都是维护版本,主要修复了一些 bug 和安全问题。
安全问题
Florian Weimar from Red Hat published on Lenstra's RSA-CRT attach for PKCS#1 v1.5 signatures
Fabian Foerg of Gotham Digital Science found a possible client-side NULL pointer dereference, using the AFL Fuzzer.
改进
mbed TLS 1.3.13 在信任中间证书的情况下可以接收一个证书链。
mbed TLS 2.1.1 修改了一个 API 调用原型 (mbedtls_ssl_conf_cert_profile()) 。
Bug 修复
Setting SSL_MIN_DHM_BYTES in config.h had no effect (overriden in ssl.h) (found by Fabio Solari) (#256)
Fix bug in mbedtls_rsa_public() and mbedtls_rsa_private() that could result trying to unlock an unlocked mutex on invalid input (found by Fredrik Axelsson) (#257)
Fix -Wshadow warnings (found by hnrkp) (#240)
Fix unused function warning when using MBEDTLS_MDx_ALT or MBEDTLS_SHAxxx_ALT (found by Henrik) (#239)
Fix memory corruption in pkey programs (found by yankuncheng) (#210)
Fix memory corruption on client with overlong PSK identity, around SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by Aleksandrs Saveljevs) (#238)
Fix off-by-one error in parsing Supported Point Format extension that caused some handshakes to fail.
软件详情:https://tls.mbed.org/tech-updates/releases/mbedtls-2.1.1-and-1.3.13-and-polarssl-1.2.16-released
下载地址:https://tls.mbed.org/download/mbedtls-2.1.1-apache.tgz
来自:开源中国社区
