diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2014-06-05 08:56:20 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2014-06-05 09:04:27 +0100 |
commit | aabbe99fcb802c3c6d4425c3a5f4143f2616e9ed (patch) | |
tree | e850da58dc2e1a2f56ddff4b3867ce36fe032053 | |
parent | 8011cd56e39a433b1837465259a9bd24a38727fb (diff) |
Update CHANGES and NEWS
-rw-r--r-- | CHANGES | 31 | ||||
-rw-r--r-- | NEWS | 6 |
2 files changed, 36 insertions, 1 deletions
@@ -4,6 +4,37 @@ Changes between 1.0.1g and 1.0.1h [xx XXX xxxx] + *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted + handshake can force the use of weak keying material in OpenSSL + SSL/TLS clients and servers. + + Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and + researching this issue. (CVE-2014-0224) + [KIKUCHI Masashi, Steve Henson] + + *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an + OpenSSL DTLS client the code can be made to recurse eventually crashing + in a DoS attack. + + Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. + (CVE-2014-0221) + [Imre Rad, Steve Henson] + + *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can + be triggered by sending invalid DTLS fragments to an OpenSSL DTLS + client or server. This is potentially exploitable to run arbitrary + code on a vulnerable client or server. + + Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195) + [Jüri Aedla, Steve Henson] + + *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites + are subject to a denial of service attack. + + Thanks to Felix Gröbert and Ivan Fratric at Google for discovering + this issue. (CVE-2014-3470) + [Felix Gröbert, Ivan Fratric, Steve Henson] + *) Harmonize version and its documentation. -f flag is used to display compilation flags. [mancha <mancha1@zoho.com>] @@ -7,7 +7,11 @@ Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [under development] - o + o Fix for CVE-2014-0224 + o Fix for CVE-2014-0221 + o Fix for CVE-2014-0195 + o Fix for CVE-2014-3470 + o Fix for CVE-2010-5298 Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014] |