CVE-2010-4180 fix (from OpenSSL_1_0_0-stable)

author: Bodo Möller <bodo@openssl.org> 2011-02-03 10:43:00 +0000
committer: Bodo Möller <bodo@openssl.org> 2011-02-03 10:43:00 +0000
commit: 88f2a4cf9ced521e2c2874a1c32af0eeaa027f40 (patch)
tree: c47e75369abcbb8f1630033e0cceadce3395c693 /CHANGES
parent: 9d0397e9779524745018d03a8f938905898dfffb (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index 7c44f0d989..f063349a84 100644
--- a/CHANGES
+++ b/CHANGES
@@ -175,6 +175,11 @@
 
  Changes between 1.0.0b and 1.0.0c  [2 Dec 2010]
 
+  *) Disable code workaround for ancient and obsolete Netscape browsers
+     and servers: an attacker can use it in a ciphersuite downgrade attack.
+     Thanks to Martin Rex for discovering this bug. CVE-2010-4180
+     [Steve Henson]
+
   *) Fixed J-PAKE implementation error, originally discovered by
      Sebastien Martini, further info and confirmation from Stefan
      Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
author	Bodo Möller <bodo@openssl.org>	2011-02-03 10:43:00 +0000
committer	Bodo Möller <bodo@openssl.org>	2011-02-03 10:43:00 +0000
commit	88f2a4cf9ced521e2c2874a1c32af0eeaa027f40 (patch)
tree	c47e75369abcbb8f1630033e0cceadce3395c693 /CHANGES
parent	9d0397e9779524745018d03a8f938905898dfffb (diff)