PolarSSL 1.2.13 has been released!
Note: Although PolarSSL has been renamed to mbed TLS, no changes reflecting this will be made in the 1.2 branch at this point.
This release is a back-port of all bug fixes and security fixes that are in the 1.3 branch and are relevant for the 1.2 branch.
Most important are the security fixes that have been back-ported to the 1.2 branch. PolarSSL 1.2.13 fixes four remotely-triggerable issues that were found by the Codenomicon Defensics tool, including the one in Security Advisory 2014-04.
Important changes in this release include:
- Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
- Forbid repeated extensions in X.509 certificates.
- Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the length of an X.509 verification chain (default = 8).
- Fix potential undefined behaviour in Camellia.
- Fix memory leaks in PKCS#5 and PKCS#12.
- Stack buffer overflow if
ctr_drbg_update()is called with too large add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
- Fix bug in MPI/bignum on s390/s390x (reported by Dan Horák) (introduced in 1.2.12).
- Fix unchecked return code in
x509_crt_parse_path()on Windows (found by Peter Vaskovic).
- Fix assembly selection for MIPS64 (thanks to James Cowgill).
ssl_get_verify_result()now works even if the handshake was aborted due to a failed verification (found by Fredrik Axelsson).
- Skip writing and parsing signature_algorithm extension if none of the key exchanges enabled needs certificates. This fixes a possible interop issue with some servers when a zero-length extension was sent. (Reported by Peter Dettman.)
- On a 0-length input,
base64_encode()did not correctly set output length (found by Hendrik van den Boogaard).
Who should update
We advise users of PolarSSL to update if they:
- use any branch other than the 1.3 branch.
Get your copy here: polarssl-1.2.13-gpl.tgz
The hashes for polarssl-1.2.13-gpl.tgz are:
SHA-1 : 08ee40ee8385fc0fde05ca762adff9bd31f79fe7 SHA-256: 62f44f2a9f39b5cefb229e5dd2644ca20ead477cb1843d6ff30671624315b021