fix for CVE-2010-4180

author: Dr. Stephen Henson <steve@openssl.org> 2010-12-02 18:49:28 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2010-12-02 18:49:28 +0000
commit: 7890b562bc6801acc2e364d127fd038aa03f523e (patch)
tree: 0d5ce158e709c97f90d3b6595130f7a0e844f610 /CHANGES
parent: 7258d33794c4269085a09f96bcf546e78b61bcb5 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index 00067bf14c..365201d22a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,11 @@
 
  Changes between 0.9.8p and 0.9.8q [xx XXX xxxx]
 
+  *) Disable code workaround for ancient and obsolete Netscape browsers
+     and servers: an attacker can use it in a ciphersuite downgrade attack.
+     Thanks to Martin Rex for discovering this bug. CVE-2010-4180
+     [Steve Henson]
+
   *) Fixed J-PAKE implementation error, originally discovered by
      Sebastien Martini, further info and confirmation from Stefan
      Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
author	Dr. Stephen Henson <steve@openssl.org>	2010-12-02 18:49:28 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2010-12-02 18:49:28 +0000
commit	7890b562bc6801acc2e364d127fd038aa03f523e (patch)
tree	0d5ce158e709c97f90d3b6595130f7a0e844f610 /CHANGES
parent	7258d33794c4269085a09f96bcf546e78b61bcb5 (diff)