Update CHANGES and NEWS

author: Dr. Stephen Henson <steve@openssl.org> 2013-02-04 22:57:49 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2013-02-05 16:46:19 +0000
commit: 8a5d624d5b76c0c3cfdcf4f7fa35c22af7ccbbaa (patch)
tree: abd7e8e13a4fcdf8c7e493847593384f21dc35a9 /CHANGES
parent: ae4a75cecf5d804e0cf57c35b1b301457e7352b8 (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index 6f6a922038..f21f58e3cf 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,19 @@
 
  Changes between 1.0.0j and 1.0.0k [xx XXX xxxx]
 
+  *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
+
+     This addresses the flaw in CBC record processing discovered by 
+     Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
+     at: http://www.isg.rhul.ac.uk/tls/     
+
+     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+     Security Group at Royal Holloway, University of London
+     (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
+     Emilia Käsper for the initial patch.
+     (CVE-2013-0169)
+     [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
+
   *) Return an error when checking OCSP signatures when key is NULL.
      This fixes a DoS attack. (CVE-2013-0166)
      [Steve Henson]
author	Dr. Stephen Henson <steve@openssl.org>	2013-02-04 22:57:49 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2013-02-05 16:46:19 +0000
commit	8a5d624d5b76c0c3cfdcf4f7fa35c22af7ccbbaa (patch)
tree	abd7e8e13a4fcdf8c7e493847593384f21dc35a9 /CHANGES
parent	ae4a75cecf5d804e0cf57c35b1b301457e7352b8 (diff)