summaryrefslogtreecommitdiffstats
path: root/CHANGES
AgeCommit message (Collapse)Author
2012-10-05Update CHANGES for OCSP fix.Ben Laurie
2012-05-11PR: 2813Dr. Stephen Henson
Reported by: Constantine Sapuntzakis <csapuntz@gmail.com> Fix possible deadlock when decoding public keys.
2012-05-10prepare for next versionDr. Stephen Henson
2012-05-10prepare for 0.9.8x releaseDr. Stephen Henson
2012-05-10Sanity check record length before skipping explicit IV in DTLSDr. Stephen Henson
to fix DoS attack. Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic fuzzing as a service testing platform. (CVE-2012-2333)
2012-05-10Reported by: Solar Designer of OpenwallDr. Stephen Henson
Make sure tkeylen is initialised properly when encrypting CMS messages.
2012-04-23prepare for next versionDr. Stephen Henson
2012-04-23prepare form 0.9.8w releaseDr. Stephen Henson
2012-04-23The fix for CVE-2012-2110 did not take into account that theDr. Stephen Henson
'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an int in OpenSSL 0.9.8, making it still vulnerable. Fix by rejecting negative len parameter. Thanks to the many people who reported this bug and to Tomas Hoger <thoger@redhat.com> for supplying the fix.
2012-04-19prepare for next versionDr. Stephen Henson
2012-04-19prepare for 0.9.8v releaseDr. Stephen Henson
2012-04-19Check for potentially exploitable overflows in asn1_d2i_read_bioDr. Stephen Henson
BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer in CRYPTO_realloc_clean. Thanks to Tavis Ormandy, Google Security Team, for discovering this issue and to Adam Langley <agl@chromium.org> for fixing it. (CVE-2012-2110)
2012-03-12prepare for next versionDr. Stephen Henson
2012-03-12prepare for releaseDr. Stephen Henson
2012-03-12Fix for CMS/PKCS7 MMA. If RSA decryption fails use a random key andDr. Stephen Henson
continue with symmetric decryption process to avoid leaking timing information to an attacker. Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this issue. (CVE-2012-0884)
2012-02-16Fix bug in CVE-2011-4619: check we have really received a client helloDr. Stephen Henson
before rejecting multiple SGC restarts.
2012-01-18prepare for next versionDr. Stephen Henson
2012-01-18prepare for releaseDr. Stephen Henson
2012-01-18Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.Dr. Stephen Henson
Thanks to Antonio Martin, Enterprise Secure Access Research and Development, Cisco Systems, Inc. for discovering this bug and preparing a fix. (CVE-2012-0050)
2012-01-17fix CHANGES entryDr. Stephen Henson
2012-01-04update for next versionDr. Stephen Henson
2012-01-04prepare for 0.9.8s releaseDr. Stephen Henson
2012-01-04Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>, Michael Tuexen ↵Dr. Stephen Henson
<tuexen@fh-muenster.de> Reviewed by: steve Fix for DTLS plaintext recovery attack discovered by Nadhem Alfardan and Kenny Paterson.
2012-01-04Fix double free in policy check code (CVE-2011-4109)Dr. Stephen Henson
2012-01-04Clear bytes used for block padding of SSL 3.0 records. (CVE-2011-4576)Dr. Stephen Henson
2012-01-04Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619)Dr. Stephen Henson
2012-01-04Prevent malformed RFC3779 data triggering an assertion failure (CVE-2011-4577)Dr. Stephen Henson
2011-12-02Resolve a stack set-up race condition (if the list of compressionBodo Möller
methods isn't presorted, it will be sorted on first read). Submitted by: Adam Langley
2011-12-02Fix ecdsatest.c.Bodo Möller
Submitted by: Emilia Kasper
2011-12-02Fix BIO_f_buffer().Bodo Möller
Submitted by: Adam Langley Reviewed by: Bodo Moeller
2011-10-19BN_BLINDING multi-threading fix.Bodo Möller
Submitted by: Emilia Kasper (Google)
2011-10-19Oops: this change (http://cvs.openssl.org/chngview?cn=21503)Bodo Möller
wasn't right for 0.9.8-stable (it's actually a fix for http://cvs.openssl.org/chngview?cn=14494, which introduced SSL_CTRL_SET_MAX_SEND_FRAGMENT).
2011-10-13In ssl3_clear, preserve s3->init_extra along with s3->rbuf.Bodo Möller
Submitted by: Bob Buckholz <bbuckholz@google.com>
2011-09-05(EC)DH memory handling fixes.Bodo Möller
Submitted by: Adam Langley
2011-09-05Fix memory leak on bad inputs.Bodo Möller
2011-05-25Fix the ECDSA timing attack mentioned in the paper at:Dr. Stephen Henson
http://eprint.iacr.org/2011/232.pdf Thanks to the original authors Billy Bob Brumley and Nicola Tuveri for bringing this to our attention.
2011-02-08start 0.9.8s-devBodo Möller
2011-02-08OCSP stapling fix (OpenSSL 0.9.8r/1.0.0d)OpenSSL_0_9_8rBodo Möller
Submitted by: Neel Mehta, Adam Langley, Bodo Moeller
2011-01-03Fix escaping code for string printing. If *any* escaping is enabled weDr. Stephen Henson
must escape the escape character itself (backslash).
2010-12-02update for next releaseDr. Stephen Henson
2010-12-02prepare for releaseOpenSSL_0_9_8qDr. Stephen Henson
2010-12-02fix for CVE-2010-4180Dr. Stephen Henson
2010-11-29add CVE to JPAKE fixDr. Stephen Henson
2010-11-26Backport J-PAKE fix.Ben Laurie
2010-11-16update for next versionDr. Stephen Henson
2010-11-16prepare for releaseDr. Stephen Henson
2010-11-16fix CVE-2010-3864Dr. Stephen Henson
2010-10-10PR: 2314Dr. Stephen Henson
Submitted by: Mounir IDRASSI <mounir.idrassi@idrix.net> Reviewed by: steve Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
2010-10-03Add call to ENGINE_register_all_complete() to ENGINE_load_builtin_engines(),Dr. Stephen Henson
this means that some implementations will be used automatically, e.g. aesni, we do this for cryptodev anyway. Setup cpuid in ENGINE_load_builtin_engines() too as some ENGINEs use it.
2010-08-26ECC library bugfixes.Bodo Möller
Submitted by: Emilia Kapser (Google)
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-06 23:39:39 +0000