Merge pull request #1187 from ronald-cron-arm/issue-1185 Add security change log for issue 1185

commit: e98a492cf55387e8abc3458f0b83d9a4ffaeb4c5 [log] [tgz]
author: Ronald Cron <ronald.cron@arm.com> Mon Mar 11 18:04:47 2024 +0100
committer: GitHub <noreply@github.com> Mon Mar 11 18:04:47 2024 +0100
tree: 4611460dd61fa4bf9e424ce3e3cb092fbc8cdd08
parent: 63dfb45e5ecfd5d028d758741768a2a57075d959 [diff]
parent: 44193fa573e29194bc895a4a704ae28be4dc94b2 [diff]
diff --git a/ChangeLog.d/tls13-only-server.txt b/ChangeLog.d/tls13-only-server.txt
new file mode 100644
index 0000000..9583bfb
--- /dev/null
+++ b/ChangeLog.d/tls13-only-server.txt

@@ -0,0 +1,10 @@
+Security
+   * When negotiating TLS version on server side, do not fall back to the
+     TLS 1.2 implementation of the protocol if it is disabled.
+     - If the TLS 1.2 implementation was disabled at build time, a TLS 1.2
+       client could put the TLS 1.3-only server in an infinite loop processing
+       a TLS 1.2 ClientHello, resulting in a denial of service. Reported by
+       Matthias Mucha and Thomas Blattmann, SICK AG.
+     - If the TLS 1.2 implementation was disabled at runtime, a TLS 1.2 client
+       was able to successfully establish a TLS 1.2 connection with the server.
+       Reported by alluettiv on GitHub.
commit	e98a492cf55387e8abc3458f0b83d9a4ffaeb4c5	[log] [tgz]
author	Ronald Cron <ronald.cron@arm.com>	Mon Mar 11 18:04:47 2024 +0100
committer	GitHub <noreply@github.com>	Mon Mar 11 18:04:47 2024 +0100
tree	4611460dd61fa4bf9e424ce3e3cb092fbc8cdd08
parent	63dfb45e5ecfd5d028d758741768a2a57075d959 [diff]
parent	44193fa573e29194bc895a4a704ae28be4dc94b2 [diff]