diff options
author | Matt Caswell <matt@openssl.org> | 2016-09-26 09:43:45 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2016-09-26 10:25:13 +0100 |
commit | 87cd6f9253580866b13729d33fdd45205485b675 (patch) | |
tree | 0a9676f48451cb933ef58a676dc07986a10a0341 /CHANGES | |
parent | f8644220a05f75d51bbde627077cdf336e4d4592 (diff) |
Updates CHANGES and NEWS for new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 15 |
1 files changed, 14 insertions, 1 deletions
@@ -4,7 +4,20 @@ Changes between 1.1.0a and 1.1.0b [xx XXX xxxx] - *) + *) Fix Use After Free for large message sizes + + The patch applied to address CVE-2016-6307 resulted in an issue where if a + message larger than approx 16k is received then the underlying buffer to + store the incoming message is reallocated and moved. Unfortunately a + dangling pointer to the old location is left which results in an attempt to + write to the previously freed location. This is likely to result in a + crash, however it could potentially lead to execution of arbitrary code. + + This issue only affects OpenSSL 1.1.0a. + + This issue was reported to OpenSSL by Robert Święcki. + (CVE-2016-6309) + [Matt Caswell] Changes between 1.1.0 and 1.1.0a [22 Sep 2016] |