Changelogs: Added CVEs

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2026-05-05 01:23:39 +02:00 · 2025-09-29 10:58:51 +01:00
parent 9364208e33
commit cc3f987c4f
4 changed files with 6 additions and 0 deletions
--- a/ChangeLog.d/fix-string-to-names-memory-management.txt
+++ b/ChangeLog.d/fix-string-to-names-memory-management.txt
@@ -10,6 +10,7 @@ Security
     were affected (use-after-free if the san string contains more than one DN).
     Code that does not call mbedtls_string_to_names() directly is not affected.
     Found by Linh Le and Ngan Nguyen from Calif.
+     CVE-2025-47917

 Changes
   * The function mbedtls_x509_string_to_names() now requires its head argument
--- a/ChangeLog.d/fix-string-to-names-store-named-data.txt
+++ b/ChangeLog.d/fix-string-to-names-store-named-data.txt
@@ -6,3 +6,5 @@ Security
     users of the output structure, such as mbedtls_x509_write_names(). This
     only affects applications that create (as opposed to consume) X.509
     certificates, CSRs or CRLs. Found by Linh Le and Ngan Nguyen from Calif.
+     CVE-2025-48965
+
--- a/ChangeLog.d/fix_reporting_of_key_usage_issues.txt
+++ b/ChangeLog.d/fix_reporting_of_key_usage_issues.txt
@@ -9,3 +9,4 @@ Security
     authentication anyway. Only TLS 1.3 servers were affected, and only with
     optional authentication (required would abort the handshake with a fatal
     alert).
+     CVE-2024-45159
--- a/ChangeLog.d/mbedtls_ssl_set_hostname.txt
+++ b/ChangeLog.d/mbedtls_ssl_set_hostname.txt
@@ -14,3 +14,5 @@ Security
     MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
     if mbedtls_ssl_set_hostname() has not been called.
     Reported by Daniel Stenberg.
+     CVE-2025-27809
+