From c522255e33e378a5fe8d92d931ee3eada4a989e1 Mon Sep 17 00:00:00 2001
From: Ronald Cron <ronald.cron@arm.com>
Date: Thu, 8 Feb 2024 10:26:07 +0100
Subject: [PATCH] Add change log

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
---
 ChangeLog.d/tls-max-version-reset.txt | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 ChangeLog.d/tls-max-version-reset.txt

diff --git a/ChangeLog.d/tls-max-version-reset.txt b/ChangeLog.d/tls-max-version-reset.txt
new file mode 100644
index 0000000000..2fa58168c2
--- /dev/null
+++ b/ChangeLog.d/tls-max-version-reset.txt
@@ -0,0 +1,6 @@
+Security
+   * Restore the maximum TLS version to be negotiated to the configured one
+     when an SSL context is reset with the mbedtls_ssl_session_reset() API.
+     An attacker was able to prevent an Mbed TLS server from establishing any
+     TLS 1.3 connection potentially resulting in a Denial of Service or forced
+     version downgrade from TLS 1.3 to TLS 1.2. Fixes #8654 reported by hey3e.