This release fixes a possible timing side channel in the PolarSSL SSL module during decryption of the buffer due to badly formatted padding in the incoming message. Check out PolarSSL Security Advisory 2013-01 for more information.
In addition some flags have been added to manipulate behaviour of the SSL module with regards of sending of non-critical alert messages (from an interoperability point of view) and debugging of bad padding bytes.
The final addition is a dummy error_strerror() function that makes it easier to use the function in code without needing constant checks to see if POLARSSL_ERROR_C is defined.
Who should update
Our advice for users of the PolarSSL 1.2 branch is to update:
- in order to remove the timing side channel (See PolarSSL Security Advisory 2013-01)
Get your copy here: polarssl-1.2.5-gpl.tgz
The hashes for polarssl-1.2.5-gpl.tgz are:
SHA-1 : 84a703feaeb00cb5fba74a4aa7168e79128bbb19 SHA-256: ee596851684faef5af124902a27abec0461b2311eee1aa9620d732f9ea4d124a