Dr. Stephen Henson
8ab27e6ef7
prepare for 0.9.8v release
2012-04-19 11:39:03 +00:00
Dr. Stephen Henson
556e27b14f
Check for potentially exploitable overflows in asn1_d2i_read_bio
...
BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
in CRYPTO_realloc_clean.
Thanks to Tavis Ormandy, Google Security Team, for discovering this
issue and to Adam Langley <agl@chromium.org> for fixing it. (CVE-2012-2110)
2012-04-19 11:36:09 +00:00
Dr. Stephen Henson
e351e2a7cf
prepare for next version
2012-03-12 16:35:13 +00:00
Dr. Stephen Henson
2fad41d155
prepare for release
2012-03-12 14:53:14 +00:00
Dr. Stephen Henson
4f2fc3c2dd
Fix for CMS/PKCS7 MMA. If RSA decryption fails use a random key and
...
continue with symmetric decryption process to avoid leaking timing
information to an attacker.
Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
this issue. (CVE-2012-0884)
2012-03-12 14:51:45 +00:00
Dr. Stephen Henson
843fc7b681
Fix bug in CVE-2011-4619: check we have really received a client hello
...
before rejecting multiple SGC restarts.
2012-02-16 15:21:17 +00:00
Dr. Stephen Henson
a72ce94213
prepare for next version
2012-01-18 14:27:13 +00:00
Dr. Stephen Henson
3309f8313c
prepare for release
2012-01-18 13:14:49 +00:00
Dr. Stephen Henson
096327a99a
Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
...
Thanks to Antonio Martin, Enterprise Secure Access Research and
Development, Cisco Systems, Inc. for discovering this bug and
preparing a fix. (CVE-2012-0050)
2012-01-18 13:12:08 +00:00
Dr. Stephen Henson
cc10bcf25e
fix CHANGES entry
2012-01-17 14:18:26 +00:00
Dr. Stephen Henson
244788464a
update for next version
2012-01-04 23:56:13 +00:00
Dr. Stephen Henson
b3cebd5acf
prepare for 0.9.8s release
2012-01-04 19:20:49 +00:00
Dr. Stephen Henson
eebefe35e7
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>, Michael Tuexen <tuexen@fh-muenster.de>
...
Reviewed by: steve
Fix for DTLS plaintext recovery attack discovered by Nadhem Alfardan and
Kenny Paterson.
2012-01-04 19:10:16 +00:00
Dr. Stephen Henson
1db0bbdc76
Fix double free in policy check code (CVE-2011-4109)
2012-01-04 19:00:28 +00:00
Dr. Stephen Henson
e643112dd8
Clear bytes used for block padding of SSL 3.0 records. (CVE-2011-4576)
2012-01-04 18:54:17 +00:00
Dr. Stephen Henson
21c4b25959
Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619)
2012-01-04 18:52:18 +00:00
Dr. Stephen Henson
0e3a930fb4
Prevent malformed RFC3779 data triggering an assertion failure (CVE-2011-4577)
2012-01-04 18:44:20 +00:00
Bodo Möller
740da44f20
Resolve a stack set-up race condition (if the list of compression
...
methods isn't presorted, it will be sorted on first read).
Submitted by: Adam Langley
2011-12-02 12:50:44 +00:00
Bodo Möller
72033fde7b
Fix ecdsatest.c.
...
Submitted by: Emilia Kasper
2011-12-02 12:40:25 +00:00
Bodo Möller
9adf3fcf9a
Fix BIO_f_buffer().
...
Submitted by: Adam Langley
Reviewed by: Bodo Moeller
2011-12-02 12:23:57 +00:00
Bodo Möller
195d6bf760
BN_BLINDING multi-threading fix.
...
Submitted by: Emilia Kasper (Google)
2011-10-19 14:57:59 +00:00
Bodo Möller
dacd94b9c8
Oops: this change ( http://cvs.openssl.org/chngview?cn=21503 )
...
wasn't right for 0.9.8-stable (it's actually a fix for
http://cvs.openssl.org/chngview?cn=14494 , which introduced
SSL_CTRL_SET_MAX_SEND_FRAGMENT).
2011-10-19 13:53:41 +00:00
Bodo Möller
f7d514f449
In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
...
Submitted by: Bob Buckholz <bbuckholz@google.com>
2011-10-13 13:04:40 +00:00
Bodo Möller
db45308477
(EC)DH memory handling fixes.
...
Submitted by: Adam Langley
2011-09-05 10:25:15 +00:00
Bodo Möller
1c7c69a8a5
Fix memory leak on bad inputs.
2011-09-05 09:56:48 +00:00
Dr. Stephen Henson
1e368ab08f
Fix the ECDSA timing attack mentioned in the paper at:
...
http://eprint.iacr.org/2011/232.pdf
Thanks to the original authors Billy Bob Brumley and Nicola Tuveri for
bringing this to our attention.
2011-05-25 14:43:47 +00:00
Bodo Möller
d430f56de6
start 0.9.8s-dev
2011-02-08 17:58:34 +00:00
Bodo Möller
957ebe98fb
OCSP stapling fix (OpenSSL 0.9.8r/1.0.0d)
...
Submitted by: Neel Mehta, Adam Langley, Bodo Moeller
2011-02-08 17:10:47 +00:00
Dr. Stephen Henson
9ad765173f
Fix escaping code for string printing. If *any* escaping is enabled we
...
must escape the escape character itself (backslash).
2011-01-03 01:26:33 +00:00
Dr. Stephen Henson
b8be571868
update for next release
2010-12-02 19:42:28 +00:00
Dr. Stephen Henson
acd43bf38c
prepare for release
2010-12-02 18:53:52 +00:00
Dr. Stephen Henson
7890b562bc
fix for CVE-2010-4180
2010-12-02 18:49:28 +00:00
Dr. Stephen Henson
f7ffc3a6c9
add CVE to JPAKE fix
2010-11-29 18:47:51 +00:00
Ben Laurie
efed63d783
Backport J-PAKE fix.
2010-11-26 16:03:23 +00:00
Dr. Stephen Henson
0067580321
update for next version
2010-11-16 16:35:37 +00:00
Dr. Stephen Henson
7e541b1a7f
prepare for release
2010-11-16 14:37:28 +00:00
Dr. Stephen Henson
2ae47ddbc2
fix CVE-2010-3864
2010-11-16 14:26:18 +00:00
Dr. Stephen Henson
a073129293
PR: 2314
...
Submitted by: Mounir IDRASSI <mounir.idrassi@idrix.net>
Reviewed by: steve
Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
2010-10-10 12:21:23 +00:00
Dr. Stephen Henson
6cb5746b65
Add call to ENGINE_register_all_complete() to ENGINE_load_builtin_engines(),
...
this means that some implementations will be used automatically, e.g. aesni,
we do this for cryptodev anyway.
Setup cpuid in ENGINE_load_builtin_engines() too as some ENGINEs use it.
2010-10-03 18:55:57 +00:00
Bodo Möller
d4ba6424a1
ECC library bugfixes.
...
Submitted by: Emilia Kapser (Google)
2010-08-26 12:10:25 +00:00
Bodo Möller
92a97e52a0
Version tree clarification.
2010-08-26 11:15:09 +00:00
Dr. Stephen Henson
63e3676e68
fix so it is safe to repeatedly add PBE algorithms
2010-06-26 12:55:01 +00:00
Dr. Stephen Henson
1dac2cae68
prepare for next release
2010-06-16 13:40:09 +00:00
Dr. Stephen Henson
22872a5363
Prepare for release.
2010-06-01 14:47:12 +00:00
Dr. Stephen Henson
82b6b541b1
Fix CVE-2010-0742
2010-06-01 14:39:57 +00:00
Dr. Stephen Henson
bc06baca76
Add SHA2 algorithms to SSL_library_init(). Although these aren't used
...
directly by SSL/TLS SHA2 certificates are becoming more common and
applications that only call SSL_library_init() and not
OpenSSL_add_all_alrgorithms() will fail when verifying certificates.
Update docs.
2010-04-07 13:19:48 +00:00
Dr. Stephen Henson
cf6a1dea19
PR: 2202 (partial)
...
Submitted by: Steven M. Schweda <sms@antinode.info>
VMS fixes:
Reduce copying into .apps and .test in makevms.com
Don't try to use blank CA certificate in CA.com
Allow use of C files from original directories in maketests.com
2010-03-25 12:29:56 +00:00
Dr. Stephen Henson
c3c658e1c0
updates for next version
2010-03-25 12:07:04 +00:00
Dr. Stephen Henson
354f92d66a
Submitted by: Bodo Moeller and Adam Langley (Google).
...
Fix for "Record of death" vulnerability CVE-2010-0740.
2010-03-24 13:16:42 +00:00
Dr. Stephen Henson
ede1351997
Submitted by: Tomas Hoger <thoger@redhat.com>
...
Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
could be crashed if the relevant tables were not present (e.g. chrooted).
2010-03-03 15:34:11 +00:00