Update CHANGES and NEWS for the new release

Reviewed-by: Stephen Henson <steve@openssl.org>
author: Matt Caswell <matt@openssl.org> 2015-07-02 15:38:32 +0100
committer: Matt Caswell <matt@openssl.org> 2015-07-09 09:30:46 +0100
commit: 6f47ced0157059edee2d4c0d94fcf76e08763c5f (patch)
tree: 137a18a76d953c9135d24f86bf2c4c0bfb80e039
parent: 7f3f41d816bb80e362a5978420f59030b3132c81 (diff)
2 files changed, 32 insertions, 2 deletions
diff --git a/CHANGES b/CHANGES
index 057909ea47..4f0749d370 100644
--- a/CHANGES
+++ b/CHANGES
@@ -434,7 +434,29 @@
      whose return value is often ignored. 
      [Steve Henson]
 
- Changes between 1.0.2a and 1.0.2b [xx XXX xxxx]
+ Changes between 1.0.2c and 1.0.2d [xx XXX xxxx]
+
+  *) Alternate chains certificate forgery
+
+     During certificate verfification, OpenSSL will attempt to find an
+     alternative certificate chain if the first attempt to build such a chain
+     fails. An error in the implementation of this logic can mean that an
+     attacker could cause certain checks on untrusted certificates to be
+     bypassed, such as the CA flag, enabling them to use a valid leaf
+     certificate to act as a CA and "issue" an invalid certificate.
+
+     This issue was reported to OpenSSL by Adam Langley/David Benjamin
+     (Google/BoringSSL).
+     [Matt Caswell]
+
+ Changes between 1.0.2b and 1.0.2c [12 Jun 2015]
+
+  *) Fix HMAC ABI incompatibility. The previous version introduced an ABI
+     incompatibility in the handling of HMAC. The previous ABI has now been
+     restored.
+     [Matt Caswell]
+
+ Changes between 1.0.2a and 1.0.2b [11 Jun 2015]
 
   *) Malformed ECParameters causes infinite loop
 
diff --git a/NEWS b/NEWS
index beb2dd3d86..e51526ea35 100644
--- a/NEWS
+++ b/NEWS
@@ -5,7 +5,15 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
-  Major changes between OpenSSL 1.0.2a and OpenSSL 1.0.2b [under development]
+  Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [under development]
+
+      o Alternate chains certificate forgery (CVE-2015-1793)
+
+  Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015]
+
+      o Fix HMAC ABI incompatibility
+
+  Major changes between OpenSSL 1.0.2a and OpenSSL 1.0.2b [11 Jun 2015]
 
       o Malformed ECParameters causes infinite loop (CVE-2015-1788)
       o Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
author	Matt Caswell <matt@openssl.org>	2015-07-02 15:38:32 +0100
committer	Matt Caswell <matt@openssl.org>	2015-07-09 09:30:46 +0100
commit	6f47ced0157059edee2d4c0d94fcf76e08763c5f (patch)
tree	137a18a76d953c9135d24f86bf2c4c0bfb80e039
parent	7f3f41d816bb80e362a5978420f59030b3132c81 (diff)