Initialise X509_STORE_CTX properly so CRLs with nextUpdate date in the past

produce an error (CVE-2011-3207)
author: Dr. Stephen Henson <steve@openssl.org> 2011-09-06 15:15:09 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2011-09-06 15:15:09 +0000
commit: 0486cce653b62d26a8ca37ac12f69f1a6b998844 (patch)
tree: c64c71c581fd887ef50a0f90132194a098cfda69 /CHANGES
parent: 0f8d4d49dc33ce56023c6faf640c8f7ef48160d4 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/CHANGES b/CHANGES
index b3d4c06c00..66e9800948 100644
--- a/CHANGES
+++ b/CHANGES
@@ -431,8 +431,12 @@
 
  Changes between 1.0.0d and 1.0.0e [xx XXX xxxx]
 
+  *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted
+     by initialising X509_STORE_CTX properly. (CVE-2011-3207)
+     [Kaspar Brand <ossl@velox.ch>]
+
   *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
-     for multi-threaded use of ECDH.
+     for multi-threaded use of ECDH. (CVE-2011-3210)
      [Adam Langley (Google)]
 
   *) Fix x509_name_ex_d2i memory leak on bad inputs.
author	Dr. Stephen Henson <steve@openssl.org>	2011-09-06 15:15:09 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2011-09-06 15:15:09 +0000
commit	0486cce653b62d26a8ca37ac12f69f1a6b998844 (patch)
tree	c64c71c581fd887ef50a0f90132194a098cfda69 /CHANGES
parent	0f8d4d49dc33ce56023c6faf640c8f7ef48160d4 (diff)