Initialise X509_STORE_CTX properly so CRLs with nextUpdate date in the past

produce an error (CVE-2011-3207)
author: Dr. Stephen Henson <steve@openssl.org> 2011-09-06 15:14:41 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2011-09-06 15:14:41 +0000
commit: cd447875e65fb8de648bfa30126e24f2786e2040 (patch)
tree: 248533b744525270ed67e522afa94341183b9b2e /CHANGES
parent: 692a94293c833515999b43b03ae4f862a105cfb0 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/CHANGES b/CHANGES
index 178ab09388..c158de99db 100644
--- a/CHANGES
+++ b/CHANGES
@@ -177,8 +177,12 @@
 
  Changes between 1.0.0d and 1.0.0e [xx XXX xxxx]
 
+  *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted
+     by initialising X509_STORE_CTX properly. (CVE-2011-3207)
+     [Kaspar Brand <ossl@velox.ch>]
+
   *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
-     for multi-threaded use of ECDH.
+     for multi-threaded use of ECDH. (CVE-2011-3210)
      [Adam Langley (Google)]
 
   *) Fix x509_name_ex_d2i memory leak on bad inputs.
author	Dr. Stephen Henson <steve@openssl.org>	2011-09-06 15:14:41 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2011-09-06 15:14:41 +0000
commit	cd447875e65fb8de648bfa30126e24f2786e2040 (patch)
tree	248533b744525270ed67e522afa94341183b9b2e /CHANGES
parent	692a94293c833515999b43b03ae4f862a105cfb0 (diff)