Update CHANGES and NEWS ready for release

Update CHANGES and NEWS with details of the issues fixed in the forthcoming release. Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Matt Caswell <matt@openssl.org> 2016-01-27 13:55:05 +0000
committer: Matt Caswell <matt@openssl.org> 2016-01-28 17:06:38 +0000
commit: 5fed60f9622c023c358f2f8e5cb6692b5cc2d9bb (patch)
tree: 3556957912f3160cecf085db97dcb9998bdd2b46
parent: 4040a7fd104b412bd446338c6c28a62eb7d8e852 (diff)
2 files changed, 13 insertions, 1 deletions
diff --git a/CHANGES b/CHANGES
index 23ca912fa6..ca3c62639f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,18 @@
 
  Changes between 1.0.1q and 1.0.1r [xx XXX xxxx]
 
+  *) SSLv2 doesn't block disabled ciphers
+
+     A malicious client can negotiate SSLv2 ciphers that have been disabled on
+     the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
+     been disabled, provided that the SSLv2 protocol was not also disabled via
+     SSL_OP_NO_SSLv2.
+
+     This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
+     and Sebastian Schinzel.
+     (CVE-2015-3197)
+     [Viktor Dukhovni]
+
   *) Reject DH handshakes with parameters shorter than 1024 bits.
      [Kurt Roeckx]
 
diff --git a/NEWS b/NEWS
index e712f14ae3..13dcd01aac 100644
--- a/NEWS
+++ b/NEWS
@@ -7,7 +7,7 @@
 
   Major changes between OpenSSL 1.0.1q and OpenSSL 1.0.1r [under development]
 
-      o
+      o SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
 
   Major changes between OpenSSL 1.0.1p and OpenSSL 1.0.1q [3 Dec 2015]
author	Matt Caswell <matt@openssl.org>	2016-01-27 13:55:05 +0000
committer	Matt Caswell <matt@openssl.org>	2016-01-28 17:06:38 +0000
commit	5fed60f9622c023c358f2f8e5cb6692b5cc2d9bb (patch)
tree	3556957912f3160cecf085db97dcb9998bdd2b46
parent	4040a7fd104b412bd446338c6c28a62eb7d8e852 (diff)