diff options
| author | Richard Levitte <richard@levitte.org> | 2014-06-12 12:21:58 +0200 |
|---|---|---|
| committer | Richard Levitte <richard@levitte.org> | 2014-06-12 12:22:24 +0200 |
| commit | 68a1e0bc3534be060c520c7ce1c9205538572edf (patch) | |
| tree | f4489f15893bab11f8b7164dc56753a18329f859 /CHANGES | |
| parent | ed6c278f60120f768a847fca7441b20ca3e1e827 (diff) | |
Bring in the 1.0.1g to 1.0.1h changes into CHANGES.
Diffstat (limited to 'CHANGES')
| -rw-r--r-- | CHANGES | 46 |
1 files changed, 45 insertions, 1 deletions
@@ -2,7 +2,7 @@ OpenSSL CHANGES _______________ - Changes between 1.0.1g and 1.0.2 [xx XXX xxxx] + Changes between 1.0.1h and 1.0.2 [xx XXX xxxx] *) Harmonize version and its documentation. -f flag is used to display compilation flags. @@ -291,6 +291,50 @@ certificates. [Steve Henson] + Changes between 1.0.1g and 1.0.1h [5 Jun 2014] + + *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted + handshake can force the use of weak keying material in OpenSSL + SSL/TLS clients and servers. + + Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and + researching this issue. (CVE-2014-0224) + [KIKUCHI Masashi, Steve Henson] + + *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an + OpenSSL DTLS client the code can be made to recurse eventually crashing + in a DoS attack. + + Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. + (CVE-2014-0221) + [Imre Rad, Steve Henson] + + *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can + be triggered by sending invalid DTLS fragments to an OpenSSL DTLS + client or server. This is potentially exploitable to run arbitrary + code on a vulnerable client or server. + + Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195) + [Jüri Aedla, Steve Henson] + + *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites + are subject to a denial of service attack. + + Thanks to Felix Gröbert and Ivan Fratric at Google for discovering + this issue. (CVE-2014-3470) + [Felix Gröbert, Ivan Fratric, Steve Henson] + + *) Harmonize version and its documentation. -f flag is used to display + compilation flags. + [mancha <mancha1@zoho.com>] + + *) Fix eckey_priv_encode so it immediately returns an error upon a failure + in i2d_ECPrivateKey. + [mancha <mancha1@zoho.com>] + + *) Fix some double frees. These are not thought to be exploitable. + [mancha <mancha1@zoho.com>] + Changes between 1.0.1f and 1.0.1g [7 Apr 2014] *) A missing bounds check in the handling of the TLS heartbeat extension |