Add updates to CHANGES file
Reviewed-by: Bodo Möller <bodo@openssl.org>
This commit is contained in:
parent
26a59d9b46
commit
f8cf36c298
1 changed files with 33 additions and 0 deletions
33
CHANGES
33
CHANGES
|
@ -4,6 +4,39 @@
|
|||
|
||||
Changes between 1.0.1i and 1.0.1j [xx XXX xxxx]
|
||||
|
||||
*) SRTP Memory Leak.
|
||||
|
||||
A flaw in the DTLS SRTP extension parsing code allows an attacker, who
|
||||
sends a carefully crafted handshake message, to cause OpenSSL to fail
|
||||
to free up to 64k of memory causing a memory leak. This could be
|
||||
exploited in a Denial Of Service attack. This issue affects OpenSSL
|
||||
1.0.1 server implementations for both SSL/TLS and DTLS regardless of
|
||||
whether SRTP is used or configured. Implementations of OpenSSL that
|
||||
have been compiled with OPENSSL_NO_SRTP defined are not affected.
|
||||
|
||||
The fix was developed by the OpenSSL team.
|
||||
(CVE-2014-3513)
|
||||
[OpenSSL team]
|
||||
|
||||
*) Session Ticket Memory Leak.
|
||||
|
||||
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
|
||||
integrity of that ticket is first verified. In the event of a session
|
||||
ticket integrity check failing, OpenSSL will fail to free memory
|
||||
causing a memory leak. By sending a large number of invalid session
|
||||
tickets an attacker could exploit this issue in a Denial Of Service
|
||||
attack.
|
||||
(CVE-2014-3567)
|
||||
[Steve Henson]
|
||||
|
||||
*) Build option no-ssl3 is incomplete.
|
||||
|
||||
When OpenSSL is configured with "no-ssl3" as a build option, servers
|
||||
could accept and complete a SSL 3.0 handshake, and clients could be
|
||||
configured to send them.
|
||||
(CVE-2014-3568)
|
||||
[Akamai and the OpenSSL team]
|
||||
|
||||
*) Add support for TLS_FALLBACK_SCSV.
|
||||
Client applications doing fallback retries should call
|
||||
SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
|
||||
|
|
Loading…
Reference in a new issue