Impact
s2n-tls clients and servers negotiating TLS1.2 could choose a SHA-1 hash in TLS connection signatures despite their s2n-tls security policy not supporting SHA-1.
Customers of AWS services do not need to take action. Applications using s2n-tls should upgrade to the most recent release of s2n-tls.
Patches
The patch is included in s2n-tls v1.3.54
Workarounds
There is no workaround. Applications using s2n-tls should upgrade to the most recent release of s2n-tls.
If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page or directly via email to [email protected]. Please do not create a public GitHub issue.
Impact
s2n-tls clients and servers negotiating TLS1.2 could choose a SHA-1 hash in TLS connection signatures despite their s2n-tls security policy not supporting SHA-1.
Customers of AWS services do not need to take action. Applications using s2n-tls should upgrade to the most recent release of s2n-tls.
Patches
The patch is included in s2n-tls v1.3.54
Workarounds
There is no workaround. Applications using s2n-tls should upgrade to the most recent release of s2n-tls.
If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page or directly via email to [email protected]. Please do not create a public GitHub issue.