Sync with 1.0.0 branch.
(CVE-2011-0014 OCSP stapling fix has been applied to the 1.0.1 branch as well.)
This commit is contained in:
Bodo Möller
parent
8c93c4dd42
commit
cd77b3e88b
1 changed files with 29 additions and 3 deletions
32
CHANGES
32
CHANGES
|
|
@ -2,7 +2,7 @@
|
|||
OpenSSL CHANGES
|
||||
_______________
|
||||
|
||||
Changes between 1.0.0c and 1.0.1 [xx XXX xxxx]
|
||||
Changes between 1.0.0d and 1.0.1 [xx XXX xxxx]
|
||||
|
||||
*) Add functions to copy EVP_PKEY_METHOD and retrieve flags and id.
|
||||
[Steve Henson]
|
||||
|
|
@ -41,7 +41,10 @@
|
|||
Add command line options to s_client/s_server.
|
||||
[Steve Henson]
|
||||
|
||||
Changes between 1.0.0c and 1.0.0d [xx XXX xxxx]
|
||||
Changes between 1.0.0c and 1.0.0d [8 Feb 2011]
|
||||
|
||||
*) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
|
||||
[Neel Mehta, Adam Langley, Bodo Moeller (Google)]
|
||||
|
||||
*) Fix bug in string printing code: if *any* escaping is enabled we must
|
||||
escape the escape character (backslash) or the resulting string is
|
||||
|
|
@ -918,11 +921,34 @@
|
|||
*) Change 'Configure' script to enable Camellia by default.
|
||||
[NTT]
|
||||
|
||||
Changes between 0.9.8o and 0.9.8p [xx XXX xxxx]
|
||||
Changes between 0.9.8q and 0.9.8r [8 Feb 2011]
|
||||
|
||||
*) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
|
||||
[Neel Mehta, Adam Langley, Bodo Moeller (Google)]
|
||||
|
||||
*) Fix bug in string printing code: if *any* escaping is enabled we must
|
||||
escape the escape character (backslash) or the resulting string is
|
||||
ambiguous.
|
||||
[Steve Henson]
|
||||
|
||||
Changes between 0.9.8p and 0.9.8q [2 Dec 2010]
|
||||
|
||||
*) Disable code workaround for ancient and obsolete Netscape browsers
|
||||
and servers: an attacker can use it in a ciphersuite downgrade attack.
|
||||
Thanks to Martin Rex for discovering this bug. CVE-2010-4180
|
||||
[Steve Henson]
|
||||
|
||||
*) Fixed J-PAKE implementation error, originally discovered by
|
||||
Sebastien Martini, further info and confirmation from Stefan
|
||||
Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
|
||||
[Ben Laurie]
|
||||
|
||||
Changes between 0.9.8o and 0.9.8p [16 Nov 2010]
|
||||
|
||||
*) Fix extension code to avoid race conditions which can result in a buffer
|
||||
overrun vulnerability: resumed sessions must not be modified as they can
|
||||
be shared by multiple threads. CVE-2010-3864
|
||||
[Steve Henson]
|
||||
|
||||
*) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
|
||||
[Steve Henson]
|
||||
|
|
|
|||
Loading…
Reference in a new issue