bring HEAD up to date, add CVE-2010-3864 fix, update NEWS files

author: Dr. Stephen Henson <steve@openssl.org> 2010-11-16 14:18:51 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2010-11-16 14:18:51 +0000
commit: 732d31beeeb2e2e9f44d05da8387cfeca06b91b8 (patch)
tree: 32d0001d19dac7c63816b01a00adc512ccbcccec /CHANGES
parent: f7d2f17a0709abb641799e32a11a2408d733d8ed (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index bc985c517b..f5351f857f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -161,6 +161,10 @@
 
  Changes between 1.0.0a and 1.0.0b  [xx XXX xxxx]
 
+  *) Fix extension code to avoid race conditions which can result in a buffer
+     overrun vulnerability: resumed sessions must not be modified as they can
+     be shared by multiple threads. CVE-2010-3864
+
   *) Fix WIN32 build system to correctly link an ENGINE directory into
      a DLL. 
      [Steve Henson]
@@ -1014,6 +1018,10 @@
   
  Changes between 0.9.8o and 0.9.8p [xx XXX xxxx]
 
+  *) Fix extension code to avoid race conditions which can result in a buffer
+     overrun vulnerability: resumed sessions must not be modified as they can
+     be shared by multiple threads. CVE-2010-3864
+
   *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
      [Steve Henson]
author	Dr. Stephen Henson <steve@openssl.org>	2010-11-16 14:18:51 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2010-11-16 14:18:51 +0000
commit	732d31beeeb2e2e9f44d05da8387cfeca06b91b8 (patch)
tree	32d0001d19dac7c63816b01a00adc512ccbcccec /CHANGES
parent	f7d2f17a0709abb641799e32a11a2408d733d8ed (diff)