From 1dc6a5441a2759e7e17995ef61ba7fc9011920a7 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Thu, 8 Jan 2015 13:37:28 +0000
Subject: [PATCH] CHANGES and NEWS updates for release

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Steve Henson <steve@openssl.org>
---
 CHANGES | 25 +++++++++++++++++++++++++
 NEWS    |  7 ++++++-
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 573f2b728a..a63fe905ad 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,20 @@
 
  Changes between 0.9.8zc and 0.9.8zd [xx XXX xxxx]
 
+  *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
+     message can cause a segmentation fault in OpenSSL due to a NULL pointer
+     dereference. This could lead to a Denial Of Service attack. Thanks to
+     Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
+     (CVE-2014-3571)
+     [Steve Henson]
+
+  *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
+     built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
+     method would be set to NULL which could later result in a NULL pointer
+     dereference. Thanks to Frank Schmirler for reporting this issue.
+     (CVE-2014-3569)
+     [Kurt Roeckx]
+
   *) Abort handshake if server key exchange message is omitted for ephemeral
      ECDH ciphersuites.
 
@@ -58,6 +72,17 @@
      (CVE-2014-8275)
      [Steve Henson]
 
+   *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
+      results on some platforms, including x86_64. This bug occurs at random
+      with a very low probability, and is not known to be exploitable in any
+      way, though its exact impact is difficult to determine. Thanks to Pieter
+      Wuille (Blockstream) who reported this issue and also suggested an initial
+      fix. Further analysis was conducted by the OpenSSL development team and
+      Adam Langley of Google. The final fix was developed by Andy Polyakov of
+      the OpenSSL core team.
+      (CVE-2014-3570)
+      [Andy Polyakov]
+
  Changes between 0.9.8zb and 0.9.8zc [15 Oct 2014]
 
   *) Session Ticket Memory Leak.
diff --git a/NEWS b/NEWS
index 45ae0f5899..712a236da2 100644
--- a/NEWS
+++ b/NEWS
@@ -7,7 +7,12 @@
 
   Major changes between OpenSSL 0.9.8zc and OpenSSL 0.9.8zd [under development]
 
-      o
+      o Fix for CVE-2014-3571
+      o Fix for CVE-2014-3569
+      o Fix for CVE-2014-3572
+      o Fix for CVE-2015-0204
+      o Fix for CVE-2014-8275
+      o Fix for CVE-2014-3570
 
   Major changes between OpenSSL 0.9.8zb and OpenSSL 0.9.8zc [15 Oct 2014]:
 
-- 
2.39.2