Age | Commit message (Collapse) | Author | |
---|---|---|---|
2012-10-05 | Update CHANGES for OCSP fix. | Ben Laurie | |
2012-05-11 | PR: 2813 | Dr. Stephen Henson | |
Reported by: Constantine Sapuntzakis <csapuntz@gmail.com> Fix possible deadlock when decoding public keys. | |||
2012-05-10 | prepare for next version | Dr. Stephen Henson | |
2012-05-10 | prepare for 0.9.8x release | Dr. Stephen Henson | |
2012-05-10 | Sanity check record length before skipping explicit IV in DTLS | Dr. Stephen Henson | |
to fix DoS attack. Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic fuzzing as a service testing platform. (CVE-2012-2333) | |||
2012-05-10 | Reported by: Solar Designer of Openwall | Dr. Stephen Henson | |
Make sure tkeylen is initialised properly when encrypting CMS messages. | |||
2012-04-23 | prepare for next version | Dr. Stephen Henson | |
2012-04-23 | prepare form 0.9.8w release | Dr. Stephen Henson | |
2012-04-23 | The fix for CVE-2012-2110 did not take into account that the | Dr. Stephen Henson | |
'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an int in OpenSSL 0.9.8, making it still vulnerable. Fix by rejecting negative len parameter. Thanks to the many people who reported this bug and to Tomas Hoger <thoger@redhat.com> for supplying the fix. | |||
2012-04-19 | prepare for next version | Dr. Stephen Henson | |
2012-04-19 | prepare for 0.9.8v release | Dr. Stephen Henson | |
2012-04-19 | Check for potentially exploitable overflows in asn1_d2i_read_bio | Dr. Stephen Henson | |
BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer in CRYPTO_realloc_clean. Thanks to Tavis Ormandy, Google Security Team, for discovering this issue and to Adam Langley <agl@chromium.org> for fixing it. (CVE-2012-2110) | |||
2012-03-12 | prepare for next version | Dr. Stephen Henson | |
2012-03-12 | prepare for release | Dr. Stephen Henson | |
2012-03-12 | Fix for CMS/PKCS7 MMA. If RSA decryption fails use a random key and | Dr. Stephen Henson | |
continue with symmetric decryption process to avoid leaking timing information to an attacker. Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this issue. (CVE-2012-0884) | |||
2012-02-16 | Fix bug in CVE-2011-4619: check we have really received a client hello | Dr. Stephen Henson | |
before rejecting multiple SGC restarts. | |||
2012-01-18 | prepare for next version | Dr. Stephen Henson | |
2012-01-18 | prepare for release | Dr. Stephen Henson | |
2012-01-18 | Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. | Dr. Stephen Henson | |
Thanks to Antonio Martin, Enterprise Secure Access Research and Development, Cisco Systems, Inc. for discovering this bug and preparing a fix. (CVE-2012-0050) | |||
2012-01-17 | fix CHANGES entry | Dr. Stephen Henson | |
2012-01-04 | update for next version | Dr. Stephen Henson | |
2012-01-04 | prepare for 0.9.8s release | Dr. Stephen Henson | |
2012-01-04 | Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>, Michael Tuexen ↵ | Dr. Stephen Henson | |
<tuexen@fh-muenster.de> Reviewed by: steve Fix for DTLS plaintext recovery attack discovered by Nadhem Alfardan and Kenny Paterson. | |||
2012-01-04 | Fix double free in policy check code (CVE-2011-4109) | Dr. Stephen Henson | |
2012-01-04 | Clear bytes used for block padding of SSL 3.0 records. (CVE-2011-4576) | Dr. Stephen Henson | |
2012-01-04 | Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619) | Dr. Stephen Henson | |
2012-01-04 | Prevent malformed RFC3779 data triggering an assertion failure (CVE-2011-4577) | Dr. Stephen Henson | |
2011-12-02 | Resolve a stack set-up race condition (if the list of compression | Bodo Möller | |
methods isn't presorted, it will be sorted on first read). Submitted by: Adam Langley | |||
2011-12-02 | Fix ecdsatest.c. | Bodo Möller | |
Submitted by: Emilia Kasper | |||
2011-12-02 | Fix BIO_f_buffer(). | Bodo Möller | |
Submitted by: Adam Langley Reviewed by: Bodo Moeller | |||
2011-10-19 | BN_BLINDING multi-threading fix. | Bodo Möller | |
Submitted by: Emilia Kasper (Google) | |||
2011-10-19 | Oops: this change (http://cvs.openssl.org/chngview?cn=21503) | Bodo Möller | |
wasn't right for 0.9.8-stable (it's actually a fix for http://cvs.openssl.org/chngview?cn=14494, which introduced SSL_CTRL_SET_MAX_SEND_FRAGMENT). | |||
2011-10-13 | In ssl3_clear, preserve s3->init_extra along with s3->rbuf. | Bodo Möller | |
Submitted by: Bob Buckholz <bbuckholz@google.com> | |||
2011-09-05 | (EC)DH memory handling fixes. | Bodo Möller | |
Submitted by: Adam Langley | |||
2011-09-05 | Fix memory leak on bad inputs. | Bodo Möller | |
2011-05-25 | Fix the ECDSA timing attack mentioned in the paper at: | Dr. Stephen Henson | |
http://eprint.iacr.org/2011/232.pdf Thanks to the original authors Billy Bob Brumley and Nicola Tuveri for bringing this to our attention. | |||
2011-02-08 | start 0.9.8s-dev | Bodo Möller | |
2011-02-08 | OCSP stapling fix (OpenSSL 0.9.8r/1.0.0d)OpenSSL_0_9_8r | Bodo Möller | |
Submitted by: Neel Mehta, Adam Langley, Bodo Moeller | |||
2011-01-03 | Fix escaping code for string printing. If *any* escaping is enabled we | Dr. Stephen Henson | |
must escape the escape character itself (backslash). | |||
2010-12-02 | update for next release | Dr. Stephen Henson | |
2010-12-02 | prepare for releaseOpenSSL_0_9_8q | Dr. Stephen Henson | |
2010-12-02 | fix for CVE-2010-4180 | Dr. Stephen Henson | |
2010-11-29 | add CVE to JPAKE fix | Dr. Stephen Henson | |
2010-11-26 | Backport J-PAKE fix. | Ben Laurie | |
2010-11-16 | update for next version | Dr. Stephen Henson | |
2010-11-16 | prepare for release | Dr. Stephen Henson | |
2010-11-16 | fix CVE-2010-3864 | Dr. Stephen Henson | |
2010-10-10 | PR: 2314 | Dr. Stephen Henson | |
Submitted by: Mounir IDRASSI <mounir.idrassi@idrix.net> Reviewed by: steve Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939 | |||
2010-10-03 | Add call to ENGINE_register_all_complete() to ENGINE_load_builtin_engines(), | Dr. Stephen Henson | |
this means that some implementations will be used automatically, e.g. aesni, we do this for cryptodev anyway. Setup cpuid in ENGINE_load_builtin_engines() too as some ENGINEs use it. | |||
2010-08-26 | ECC library bugfixes. | Bodo Möller | |
Submitted by: Emilia Kapser (Google) |