ChangeLog.d/crl-revocationDate.txt - third_party/github.com/ARMmbed/mbedtls - Git at Google

 Security
    * When checking X.509 CRLs, a certificate was only considered as revoked if
      its revocationDate was in the past according to the local clock if
      available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE,
      certificates were never considered as revoked. On builds with
      MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for
      example, an untrusted OS attacking a secure enclave) could prevent
      revocation of certificates via CRLs. Fixed by no longer checking the
      revocationDate field, in accordance with RFC 5280. Reported by
      yuemonangong in #3340. Reported independently and fixed by
      Raoul Strackx and Jethro Beekman in #3433.
	Security
	* When checking X.509 CRLs, a certificate was only considered as revoked if
	its revocationDate was in the past according to the local clock if
	available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE,
	certificates were never considered as revoked. On builds with
	MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for
	example, an untrusted OS attacking a secure enclave) could prevent
	revocation of certificates via CRLs. Fixed by no longer checking the
	revocationDate field, in accordance with RFC 5280. Reported by
	yuemonangong in #3340. Reported independently and fixed by
	Raoul Strackx and Jethro Beekman in #3433.