From 3ad3efab44b5cefe87c8f1b3b080721744ed3fe4 Mon Sep 17 00:00:00 2001
From: Dave Rodgman <dave.rodgman@arm.com>
Date: Mon, 8 Mar 2021 18:23:09 +0000
Subject: [PATCH] Update Changelog for 2.7.19

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
---
 ChangeLog                                     | 41 +++++++++++++++++++
 ChangeLog.d/build-without-certs.txt           |  3 --
 ChangeLog.d/drbg-mutex.txt                    |  5 ---
 ChangeLog.d/issue4093.txt                     |  7 ----
 ...make_base64_table_access_constant_flow.txt |  4 --
 ChangeLog.d/mpi_sub_abs.txt                   |  7 ----
 ChangeLog.d/net_poll-fd_setsize.txt           |  3 --
 ChangeLog.d/rsa-mutex.txt                     | 13 ------
 ChangeLog.d/rsa_private-ret.txt               |  2 -
 9 files changed, 41 insertions(+), 44 deletions(-)
 delete mode 100644 ChangeLog.d/build-without-certs.txt
 delete mode 100644 ChangeLog.d/drbg-mutex.txt
 delete mode 100644 ChangeLog.d/issue4093.txt
 delete mode 100644 ChangeLog.d/make_base64_table_access_constant_flow.txt
 delete mode 100644 ChangeLog.d/mpi_sub_abs.txt
 delete mode 100644 ChangeLog.d/net_poll-fd_setsize.txt
 delete mode 100644 ChangeLog.d/rsa-mutex.txt
 delete mode 100644 ChangeLog.d/rsa_private-ret.txt

diff --git a/ChangeLog b/ChangeLog
index 024dd39c5c..e0e9c29a09 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,46 @@
 mbed TLS ChangeLog (Sorted per branch, date)
 
+= mbed TLS 2.7.19 branch released 2021-03-12
+
+Default behavior changes
+   * In mbedtls_rsa_context objects, the ver field was formerly documented
+     as always 0. It is now reserved for internal purposes and may take
+     different values.
+
+Security
+   * Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
+     |A| - |B| where |B| is larger than |A| and has more limbs (so the
+     function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only
+     applications calling mbedtls_mpi_sub_abs() directly are affected:
+     all calls inside the library were safe since this function is
+     only called with |A| >= |B|. Reported by Guido Vranken in #4042.
+   * Fix an errorneous estimation for an internal buffer in
+     mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
+     value the function might fail to write a private RSA keys of the largest
+     supported size.
+     Found by Daniel Otte, reported in #4093 and fixed in #4094,
+     backported in #4099.
+   * Fix a stack buffer overflow with mbedtls_net_recv_timeout() when given a
+     file descriptor that is beyond FD_SETSIZE. Reported by FigBug in #4169.
+   * Guard against strong local side channel attack against base64 tables by
+     making access aceess to them use constant flow code.
+
+Bugfix
+   * Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C
+     is enabled, on platforms where initializing a mutex allocates resources.
+     This was a regression introduced in the previous release. Reported in
+     #4017, #4045 and #4071.
+   * Ensure that calling mbedtls_rsa_free() or mbedtls_entropy_free()
+     twice is safe. This happens for RSA when some Mbed TLS library functions
+     fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
+     enabled on platforms where freeing a mutex twice is not safe.
+   * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
+     when MBEDTLS_THREADING_C is enabled on platforms where initializing
+     a mutex allocates resources.
+   * Fix an incorrect error code if an RSA private operation glitched.
+   * Fix the build of sample programs when MBEDTLS_PEM_C is enabled but
+     MBEDTLS_CERTS_C is disabled. Reported by Michael Schuster in #4206.
+
 = mbed TLS 2.7.18 branch released 2020-12-11
 
 Security
diff --git a/ChangeLog.d/build-without-certs.txt b/ChangeLog.d/build-without-certs.txt
deleted file mode 100644
index 9bb7384061..0000000000
--- a/ChangeLog.d/build-without-certs.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Bugfix
-   * Fix the build of sample programs when MBEDTLS_PEM_C is enabled but
-     MBEDTLS_CERTS_C is disabled. Reported by Michael Schuster in #4206.
diff --git a/ChangeLog.d/drbg-mutex.txt b/ChangeLog.d/drbg-mutex.txt
deleted file mode 100644
index 3ac5abfa88..0000000000
--- a/ChangeLog.d/drbg-mutex.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Bugfix
-   * Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C
-     is enabled, on platforms where initializing a mutex allocates resources.
-     This was a regression introduced in the previous release. Reported in
-     #4017, #4045 and #4071.
diff --git a/ChangeLog.d/issue4093.txt b/ChangeLog.d/issue4093.txt
deleted file mode 100644
index fe4ce49f37..0000000000
--- a/ChangeLog.d/issue4093.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Security
-   * Fix an errorneous estimation for an internal buffer in
-     mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
-     value the function might fail to write a private RSA keys of the largest
-     supported size.
-     Found by Daniel Otte, reported in #4093 and fixed in #4094,
-     backported in #4099.
diff --git a/ChangeLog.d/make_base64_table_access_constant_flow.txt b/ChangeLog.d/make_base64_table_access_constant_flow.txt
deleted file mode 100644
index 733c972d08..0000000000
--- a/ChangeLog.d/make_base64_table_access_constant_flow.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Security
-   * Guard against strong local side channel attack against base64 tables by
-     making access aceess to them use constant flow code.
-
diff --git a/ChangeLog.d/mpi_sub_abs.txt b/ChangeLog.d/mpi_sub_abs.txt
deleted file mode 100644
index 9f34ee74bd..0000000000
--- a/ChangeLog.d/mpi_sub_abs.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Security
-   * Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
-     |A| - |B| where |B| is larger than |A| and has more limbs (so the
-     function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only
-     applications calling mbedtls_mpi_sub_abs() directly are affected:
-     all calls inside the library were safe since this function is
-     only called with |A| >= |B|. Reported by Guido Vranken in #4042.
diff --git a/ChangeLog.d/net_poll-fd_setsize.txt b/ChangeLog.d/net_poll-fd_setsize.txt
deleted file mode 100644
index 23b11bb599..0000000000
--- a/ChangeLog.d/net_poll-fd_setsize.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Security
-   * Fix a stack buffer overflow with mbedtls_net_recv_timeout() when given a
-     file descriptor that is beyond FD_SETSIZE. Reported by FigBug in #4169.
diff --git a/ChangeLog.d/rsa-mutex.txt b/ChangeLog.d/rsa-mutex.txt
deleted file mode 100644
index 2a477a9cbb..0000000000
--- a/ChangeLog.d/rsa-mutex.txt
+++ /dev/null
@@ -1,13 +0,0 @@
-Bugfix
-   * Ensure that calling mbedtls_rsa_free() or mbedtls_entropy_free()
-     twice is safe. This happens for RSA when some Mbed TLS library functions
-     fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
-     enabled on platforms where freeing a mutex twice is not safe.
-   * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
-     when MBEDTLS_THREADING_C is enabled on platforms where initializing
-     a mutex allocates resources.
-
-Default behavior changes
-   * In mbedtls_rsa_context objects, the ver field was formerly documented
-     as always 0. It is now reserved for internal purposes and may take
-     different values.
diff --git a/ChangeLog.d/rsa_private-ret.txt b/ChangeLog.d/rsa_private-ret.txt
deleted file mode 100644
index b965cea770..0000000000
--- a/ChangeLog.d/rsa_private-ret.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-Bugfix
-   * Fix an incorrect error code if an RSA private operation glitched.