Add fixes for CAN-2005-2969OpenSSL_0_9_8a

Bump release ready for OpenSSL_0_9_8a tag
author: Mark J. Cox <mark@openssl.org> 2005-10-11 10:16:21 +0000
committer: Mark J. Cox <mark@openssl.org> 2005-10-11 10:16:21 +0000
commit: 64932f9e4aab568f758ad8318ea99774bbcfbbbd (patch)
tree: 658a10fbf02a226c7b0324029a238caaa837f04b /CHANGES
parent: 5a20efcf172df3e4b6049322f4e7f3a6d4a5b357 (diff)
1 files changed, 25 insertions, 2 deletions
diff --git a/CHANGES b/CHANGES
index 4125b9daa6..a84cebf5fc 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,7 +2,17 @@
  OpenSSL CHANGES
  _______________
 
- Changes between 0.9.8 and 0.9.8a  [XX xxx XXXX]
+ Changes between 0.9.8 and 0.9.8a  [11 Oct 2005]
+
+  *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
+     (part of SSL_OP_ALL).  This option used to disable the
+     countermeasure against man-in-the-middle protocol-version
+     rollback in the SSL 2.0 server implementation, which is a bad
+     idea.  (CAN-2005-2969)
+
+     [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
+     for Information Security, National Institute of Advanced Industrial
+     Science and Technology [AIST], Japan)]
 
   *) Add two function to clear and return the verify parameter flags.
      [Steve Henson]
@@ -848,7 +858,17 @@
      differing sizes.
      [Richard Levitte]
 
- Changes between 0.9.7g and 0.9.7h  [XX xxx XXXX]
+ Changes between 0.9.7g and 0.9.7h  [11 Oct 2005]
+
+  *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
+     (part of SSL_OP_ALL).  This option used to disable the
+     countermeasure against man-in-the-middle protocol-version
+     rollback in the SSL 2.0 server implementation, which is a bad
+     idea.
+
+     [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
+     for Information Security, National Institute of Advanced Industrial
+     Science and Technology [AIST], Japan)]
 
   *) Minimal support for X9.31 signatures and PSS padding modes. This is
      mainly for FIPS compliance and not fully integrated at this stage.
@@ -899,6 +919,9 @@
 
  Changes between 0.9.7f and 0.9.7g  [11 Apr 2005]
 
+  [NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after
+  OpenSSL 0.9.8.]
+
   *) Fixes for newer kerberos headers. NB: the casts are needed because
      the 'length' field is signed on one version and unsigned on another
      with no (?) obvious way to tell the difference, without these VC++
author	Mark J. Cox <mark@openssl.org>	2005-10-11 10:16:21 +0000
committer	Mark J. Cox <mark@openssl.org>	2005-10-11 10:16:21 +0000
commit	64932f9e4aab568f758ad8318ea99774bbcfbbbd (patch)
tree	658a10fbf02a226c7b0324029a238caaa837f04b /CHANGES
parent	5a20efcf172df3e4b6049322f4e7f3a6d4a5b357 (diff)