diff options
author | Matt Caswell <matt@openssl.org> | 2014-10-15 10:52:00 +0100 |
---|---|---|
committer | Geoff Thorpe <geoff@openssl.org> | 2014-10-15 08:46:57 -0400 |
commit | 4d2efa29f6ef9253402ab359d3bee256c3f403fc (patch) | |
tree | 6291bf2f5989309fccaf9f012ba2bed9c58b1ada | |
parent | cd332a07503bd9771595de87e768179f81715704 (diff) |
Updates to CHANGES file
Reviewed-by: Bodo Möller <bodo@openssl.org>
-rw-r--r-- | CHANGES | 19 |
1 files changed, 19 insertions, 0 deletions
@@ -4,6 +4,25 @@ Changes between 0.9.8zb and 0.9.8zc [xx XXX xxxx] + *) Session Ticket Memory Leak. + + When an OpenSSL SSL/TLS/DTLS server receives a session ticket the + integrity of that ticket is first verified. In the event of a session + ticket integrity check failing, OpenSSL will fail to free memory + causing a memory leak. By sending a large number of invalid session + tickets an attacker could exploit this issue in a Denial Of Service + attack. + (CVE-2014-3567) + [Steve Henson] + + *) Build option no-ssl3 is incomplete. + + When OpenSSL is configured with "no-ssl3" as a build option, servers + could accept and complete a SSL 3.0 handshake, and clients could be + configured to send them. + (CVE-2014-3568) + [Akamai and the OpenSSL team] + *) Add support for TLS_FALLBACK_SCSV. Client applications doing fallback retries should call SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV). |