v3.5.2
版本发布时间: 2024-01-26 18:18:29
Mbed-TLS/mbedtls最新发布版本:mbedtls-3.6.2(2024-10-15 20:35:06)
Description
This release of Mbed TLS provides fixes for security issues.
Security Advisories
For full details, please see the following link:
Release Notes
Security
- Fix a timing side channel in private key RSA operations. This side channel could be sufficient for an attacker to recover the plaintext. A local attacker or a remote attacker who is close to the victim on the network might have precise enough timing measurements to exploit this. It requires the attacker to send a large number of messages for decryption. For details, see "Everlasting ROBOT: the Marvin Attack", Hubert Kario. Reported by Hubert Kario, Red Hat.
- Fix a failure to validate input when writing x509 extensions lengths which could result in an integer overflow, causing a zero-length buffer to be allocated to hold the extension. The extension would then be copied into the buffer, causing a heap buffer overflow.
Who should update
We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.
Checksum
The SHA256 hashes for the archives are:
35890edf1a2c7a7e29eac3118d43302c3e1173e0df0ebaf5db56126dabe5bb05 v3.5.2.tar.gz eedecc468b3f8d052ef05a9d42bf63f04c8a1c50d1c5a94c251c681365a2c723 mbedtls-3.5.2.tar.gz
55c1525e7d5de18b84a1d1e5540950b4a3bac70e02889cf309919b2877cba63b v3.5.2.zip fea0c12622044ef0d594361e83b2c2b5e4ca56bc1b44126ccca50872c7d6d4f6 mbedtls-3.5.2.zip
The URLs below point to the archives named vX.Y.Z.... When checking hashes, please be aware that due to GitHub's use of the Content-Disposition header, some clients will download the vX.Y.Z... archive and save it with the filename mbedtls-X.Y.Z....