Changed attribution for Guido Vranken

2015-10-05 10:18:17 +01:00 · 2015-10-05 10:18:17 +01:00 · c48b66bfb6
commit c48b66bfb6
parent 6418ffaadb
1 changed files with 15 additions and 17 deletions
--- a/32
+++ b/32
@ -4,22 +4,27 @@ mbed TLS ChangeLog (Sorted per branch, date)

 Security
   * Added fix for CVE-2015-xxxxx to prevent heap corruption due to buffer
-     overflow of the hostname or session ticket. Found by Guido Vranken.
+     overflow of the hostname or session ticket. Found by Guido Vranken,
+     Intelworks.
   * Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
     once in the same handhake and mbedtls_ssl_conf_psk() was used.
-     Found and patch provided by Guido Vranken. Cannot be forced remotely.
+     Found and patch provided by Guido Vranken, Intelworks. Cannot be forced
+     remotely.
   * Fix stack buffer overflow in pkcs12 decryption (used by
     mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
-     Found by Guido Vranken. Not triggerable remotely.
+     Found by Guido Vranken, Intelworks. Not triggerable remotely.
   * Fix potential buffer overflow in mbedtls_mpi_read_string().
-     Found by Guido Vranken. Not exploitable remotely in the context of TLS,
-     but might be in other uses. On 32 bit machines, requires reading a string
-     of close to or larger than 1GB to exploit; on 64 bit machines, would require
-     reading a string of close to or larger than 2^62 bytes.
+     Found by Guido Vranken, Intelworks. Not exploitable remotely in the context
+     of TLS, but might be in other uses. On 32 bit machines, requires reading a
+     string of close to or larger than 1GB to exploit; on 64 bit machines, would
+     require reading a string of close to or larger than 2^62 bytes.
   * Fix potential random memory allocation in mbedtls_pem_read_buffer()
-     on crafted PEM input data. Found an fix provided by Guid Vranken.
-     Not triggerable remotely in TLS. Triggerable remotely if you accept PEM
-     data from an untrusted source.
+     on crafted PEM input data. Found and fix provided by Guido Vranken,
+     Intelworks. Not triggerable remotely in TLS. Triggerable remotely if you
+     accept PEM data from an untrusted source.
+   * Fix possible heap buffer overflow in base64_encoded() when the input
+     buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
+     Intelworks. Not trigerrable remotely in TLS.

 Changes
   * Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure
@ -29,13 +34,6 @@ Changes

 = mbed TLS 2.1.1 released 2015-09-17

-Security
-   * Fix possible heap buffer overflow in base64_encoded() when the input
-     buffer is 512MB or larger on 32-bit platforms.
-     Found by Guido Vranken. Not trigerrable remotely in TLS.
-
-= mbed TLS 2.1.1 released 2015-09-17
-
 Security
   * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
     signatures. (Found by Florian Weimer, Red Hat.)