mirror of
https://github.com/godotengine/buildroot.git
synced 2026-01-01 13:49:03 +03:00
f405a5be13
Fixes the following security issue: 0-byte record padding oracle (CVE-2019-1559) If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. For more details, see the advisory: https://mta.openssl.org/pipermail/openssl-announce/2019-February/000148.html Signed-off-by: Peter Korsgaard <peter@korsgaard.com>