x509_verify() function now matches the domain name given to it in cn in a case insensitive way as per RFC 6125 section 6.4.
A number of small memory leaks and file descriptor leaks in uncommon situations have been fixed.
A remote timing attack that can recover the RSA private key (Security Advisory 2013-05) has been fixed. Warning: the fix makes it impossible to use the same x509 certificate in multiple threads at the same time (which was possible before) or you have to disable CRT (POLARSSL_RSA_NO_CRT). The version in PolarSSL 1.3.0 is thread-safe.
A couple of possible local overflows have been fixed. Check the ChangeLog for more details.
Who should update
Our advice for users of the PolarSSL 1.2 branch is to update!
Get your copy here: polarssl-1.2.9-gpl.tgz
The hashes for polarssl-1.2.9-gpl.tgz are:
SHA-1 : c870ba466ddf6a9fc3b62c57bf8a316c331f104b SHA-256: d125a6e7eb6eb3e5110035df1469099c5463837b1ef734e60771095dafc0ef56