diff --git a/ChangeLog.d/fix-string-to-names-memory-management.txt b/ChangeLog.d/fix-string-to-names-memory-management.txt index 87bc59694f..6b744a74fb 100644 --- a/ChangeLog.d/fix-string-to-names-memory-management.txt +++ b/ChangeLog.d/fix-string-to-names-memory-management.txt @@ -10,6 +10,7 @@ Security were affected (use-after-free if the san string contains more than one DN). Code that does not call mbedtls_string_to_names() directly is not affected. Found by Linh Le and Ngan Nguyen from Calif. + CVE-2025-47917 Changes * The function mbedtls_x509_string_to_names() now requires its head argument diff --git a/ChangeLog.d/fix-string-to-names-store-named-data.txt b/ChangeLog.d/fix-string-to-names-store-named-data.txt index e517cbb72a..b088468612 100644 --- a/ChangeLog.d/fix-string-to-names-store-named-data.txt +++ b/ChangeLog.d/fix-string-to-names-store-named-data.txt @@ -6,3 +6,5 @@ Security users of the output structure, such as mbedtls_x509_write_names(). This only affects applications that create (as opposed to consume) X.509 certificates, CSRs or CRLs. Found by Linh Le and Ngan Nguyen from Calif. + CVE-2025-48965 + diff --git a/ChangeLog.d/fix_reporting_of_key_usage_issues.txt b/ChangeLog.d/fix_reporting_of_key_usage_issues.txt index b81fb426a7..506f2bdf0e 100644 --- a/ChangeLog.d/fix_reporting_of_key_usage_issues.txt +++ b/ChangeLog.d/fix_reporting_of_key_usage_issues.txt @@ -9,3 +9,4 @@ Security authentication anyway. Only TLS 1.3 servers were affected, and only with optional authentication (required would abort the handshake with a fatal alert). + CVE-2024-45159 diff --git a/ChangeLog.d/mbedtls_ssl_set_hostname.txt b/ChangeLog.d/mbedtls_ssl_set_hostname.txt index 250a5baafa..05f375dcb3 100644 --- a/ChangeLog.d/mbedtls_ssl_set_hostname.txt +++ b/ChangeLog.d/mbedtls_ssl_set_hostname.txt @@ -14,3 +14,5 @@ Security MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME if mbedtls_ssl_set_hostname() has not been called. Reported by Daniel Stenberg. + CVE-2025-27809 +