Further updates to CHANGES and NEWS

Reviewed-by: Richard Levitte <levitte@openssl.org>
author: Matt Caswell <matt@openssl.org> 2016-01-28 12:28:53 +0000
committer: Matt Caswell <matt@openssl.org> 2016-01-28 17:06:38 +0000
commit: bea4cb2e804160f08bd7f10286946c422e38ac3c (patch)
tree: 69358016bb6b9ff86ab856150ef70f2036e2505e
parent: 5fed60f9622c023c358f2f8e5cb6692b5cc2d9bb (diff)
2 files changed, 8 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index ca3c62639f..24cf821257 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,13 @@
 
  Changes between 1.0.1q and 1.0.1r [xx XXX xxxx]
 
+  *) Protection for DH small subgroup attacks
+
+     As a precautionary measure the SSL_OP_SINGLE_DH_USE option has been
+     switched on by default and cannot be disabled. This could have some
+     performance impact.
+     [Matt Caswell]
+
   *) SSLv2 doesn't block disabled ciphers
 
      A malicious client can negotiate SSLv2 ciphers that have been disabled on
diff --git a/NEWS b/NEWS
index 13dcd01aac..d8e4fd0173 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,7 @@
 
   Major changes between OpenSSL 1.0.1q and OpenSSL 1.0.1r [under development]
 
+      o Protection for DH small subgroup attacks
       o SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
 
   Major changes between OpenSSL 1.0.1p and OpenSSL 1.0.1q [3 Dec 2015]
author	Matt Caswell <matt@openssl.org>	2016-01-28 12:28:53 +0000
committer	Matt Caswell <matt@openssl.org>	2016-01-28 17:06:38 +0000
commit	bea4cb2e804160f08bd7f10286946c422e38ac3c (patch)
tree	69358016bb6b9ff86ab856150ef70f2036e2505e
parent	5fed60f9622c023c358f2f8e5cb6692b5cc2d9bb (diff)