diff options
| author | Matt Caswell <matt@openssl.org> | 2019-09-10 11:58:18 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2019-09-10 12:09:49 +0100 |
| commit | 26080054209056b899fe677ee8393972a924cde5 (patch) | |
| tree | ae69aadd774bfca58ed322e9fbae39329f692b93 | |
| parent | e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f (diff) | |
Remove duplicate CHANGES entry
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9846)
| -rw-r--r-- | CHANGES | 13 | ||||
| -rw-r--r-- | NEWS | 2 |
2 files changed, 2 insertions, 13 deletions
@@ -9,18 +9,6 @@ Changes between 1.0.2s and 1.0.2t [xx XXX xxxx] - *) Fixed a padding oracle in PKCS7_decrypt() and CMS_decrypt(). In situations - where an attacker receives automated notification of the success or failure - of a decryption attempt an attacker, after sending a very large number of - messages to be decrypted, can recover a CMS/PKCS7 transported encryption - key or decrypt any RSA encrypted message that was encrypted with the public - RSA key, using a Bleichenbacher padding oracle attack. Applications are not - affected if they use a certificate together with the private RSA key to the - CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info - to decrypt. - (CVE-2019-1563) - [Bernd Edlinger] - *) For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters, when loading a serialized key or calling `EC_GROUP_new_from_ecpkparameters()`/ @@ -51,6 +39,7 @@ certifiate is not given and all recipientInfo are tried out. The old behaviour can be re-enabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag. + (CVE-2019-1563) [Bernd Edlinger] *) Document issue with installation paths in diverse Windows builds @@ -7,7 +7,7 @@ Major changes between OpenSSL 1.0.2r and OpenSSL 1.0.2t [under development] - o Fixed a padding oracle in PKCS7_decrypt() and CMS_decrypt() + o Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563) o For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters |