a49a81a92f
Fixes two high-severity vulnerabilities:
- CVE-2022-25640: A TLS v1.3 server who requires mutual authentication
can be bypassed. If a malicious client does not send the
certificate_verify message a client can connect without presenting a
certificate even if the server requires one.
- CVE-2022-25638: A TLS v1.3 client attempting to authenticate a TLS
v1.3 server can have its certificate heck bypassed. If the sig_algo in
the certificate_verify message is different than the certificate
message checking may be bypassed.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| base-files | ||
| boot | ||
| devel | ||
| emortal | ||
| firmware | ||
| kernel | ||
| libs | ||
| network | ||
| system | ||
| utils | ||
| Makefile | ||