[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 0.9.8q and 0.9.8r [xx XXX xxxx]

  *) Fix bug in string printing code: if *any* escaping is enabled we must
     escape the escape character (backslash) or the resulting string is
     ambiguous.
     [Steve Henson]

 Changes between 0.9.8p and 0.9.8q [2 Dec 2010]

  *) Disable code workaround for ancient and obsolete Netscape browsers
     and servers: an attacker can use it in a ciphersuite downgrade attack.
     Thanks to Martin Rex for discovering this bug. CVE-2010-4180
     [Steve Henson]

  *) Fixed J-PAKE implementation error, originally discovered by
     Sebastien Martini, further info and confirmation from Stefan
     Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
     [Ben Laurie]

 Changes between 0.9.8o and 0.9.8p [16 Nov 2010]

  *) Fix extension code to avoid race conditions which can result in a buffer
     overrun vulnerability: resumed sessions must not be modified as they can
     be shared by multiple threads. CVE-2010-3864
     [Steve Henson]

  *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
     [Steve Henson]

  *) Don't reencode certificate when calculating signature: cache and use
     the original encoding instead. This makes signature verification of
     some broken encodings work correctly.
     [Steve Henson]

  *) ec2_GF2m_simple_mul bugfix: compute correct result if the output EC_POINT
     is also one of the inputs.
Commit	Line	Data
81a6c781	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
b8be5718 DSH	5	Changes between 0.9.8q and 0.9.8r [xx XXX xxxx]
b8be5718 DSH	6
9ad76517 DSH	7	) Fix bug in string printing code: if any* escaping is enabled we must
	8	escape the escape character (backslash) or the resulting string is
	9	ambiguous.
	10	[Steve Henson]
b8be5718	11
acd43bf3	12	Changes between 0.9.8p and 0.9.8q [2 Dec 2010]
00675803	13
7890b562 DSH	14	*) Disable code workaround for ancient and obsolete Netscape browsers
	15	and servers: an attacker can use it in a ciphersuite downgrade attack.
	16	Thanks to Martin Rex for discovering this bug. CVE-2010-4180
	17	[Steve Henson]
	18
efed63d7 BL	19	*) Fixed J-PAKE implementation error, originally discovered by
efed63d7 BL	20	Sebastien Martini, further info and confirmation from Stefan
f7ffc3a6	21	Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
efed63d7	22	[Ben Laurie]
00675803	23
7e541b1a	24	Changes between 0.9.8o and 0.9.8p [16 Nov 2010]
1dac2cae	25
2ae47ddb DSH	26	*) Fix extension code to avoid race conditions which can result in a buffer
	27	overrun vulnerability: resumed sessions must not be modified as they can
	28	be shared by multiple threads. CVE-2010-3864
	29	[Steve Henson]
	30
a0731292 DSH	31	*) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
	32	[Steve Henson]
	33
6cb5746b DSH	34	*) Don't reencode certificate when calculating signature: cache and use
	35	the original encoding instead. This makes signature verification of
	36	some broken encodings work correctly.
	37	[Steve Henson]
	38
d4ba6424 BM	39	*) ec2_GF2m_simple_mul bugfix: compute correct result if the output EC_POINT
	40	is also one of the inputs.
	41