diff options
author | Matt Caswell <matt@openssl.org> | 2016-01-27 13:55:05 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2016-01-28 17:06:38 +0000 |
commit | 5fed60f9622c023c358f2f8e5cb6692b5cc2d9bb (patch) | |
tree | 3556957912f3160cecf085db97dcb9998bdd2b46 | |
parent | 4040a7fd104b412bd446338c6c28a62eb7d8e852 (diff) |
Update CHANGES and NEWS ready for release
Update CHANGES and NEWS with details of the issues fixed in the forthcoming
release.
Reviewed-by: Rich Salz <rsalz@openssl.org>
-rw-r--r-- | CHANGES | 12 | ||||
-rw-r--r-- | NEWS | 2 |
2 files changed, 13 insertions, 1 deletions
@@ -4,6 +4,18 @@ Changes between 1.0.1q and 1.0.1r [xx XXX xxxx] + *) SSLv2 doesn't block disabled ciphers + + A malicious client can negotiate SSLv2 ciphers that have been disabled on + the server and complete SSLv2 handshakes even if all SSLv2 ciphers have + been disabled, provided that the SSLv2 protocol was not also disabled via + SSL_OP_NO_SSLv2. + + This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram + and Sebastian Schinzel. + (CVE-2015-3197) + [Viktor Dukhovni] + *) Reject DH handshakes with parameters shorter than 1024 bits. [Kurt Roeckx] @@ -7,7 +7,7 @@ Major changes between OpenSSL 1.0.1q and OpenSSL 1.0.1r [under development] - o + o SSLv2 doesn't block disabled ciphers (CVE-2015-3197) Major changes between OpenSSL 1.0.1p and OpenSSL 1.0.1q [3 Dec 2015] |