[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 1.0.1g and 1.0.1h [xx XXX xxxx]

  *) Harmonize version and its documentation. -f flag is used to display
     compilation flags.
     [mancha <mancha1@zoho.com>]

  *) Fix eckey_priv_encode so it immediately returns an error upon a failure
     in i2d_ECPrivateKey.
     [mancha <mancha1@zoho.com>]

  *) Fix some double frees. These are not thought to be exploitable.
     [mancha <mancha1@zoho.com>]

 Changes between 1.0.1f and 1.0.1g [7 Apr 2014]

  *) A missing bounds check in the handling of the TLS heartbeat extension
     can be used to reveal up to 64k of memory to a connected client or
     server.

     Thanks for Neel Mehta of Google Security for discovering this bug and to
     Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
     preparing the fix (CVE-2014-0160)
     [Adam Langley, Bodo Moeller]

  *) Fix for the attack described in the paper "Recovering OpenSSL
     ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
     by Yuval Yarom and Naomi Benger. Details can be obtained from:
     http://eprint.iacr.org/2014/140

     Thanks to Yuval Yarom and Naomi Benger for discovering this
     flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
     [Yuval Yarom and Naomi Benger]

  *) TLS pad extension: draft-agl-tls-padding-03

     Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
     TLS client Hello record length value would otherwise be > 255 and
     less that 512 pad with a dummy extension containing zeroes so it
     is at least 512 bytes long.

     [Adam Langley, Steve Henson]

 Changes between 1.0.1e and 1.0.1f [6 Jan 2014]

  *) Fix for TLS record tampering bug. A carefully crafted invalid 
     handshake could crash OpenSSL with a NULL pointer exception.
     Thanks to Anton Johansson for reporting this issues.
     (CVE-2013-4353)

  *) Keep original DTLS digest and encryption contexts in retransmission
     structures so we can use the previous session parameters if they need
     to be resent. (CVE-2013-6450)
     [Steve Henson]

  *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
     avoids preferring ECDHE-ECDSA ciphers when the client appears to be
     Safari on OS X.  Safari on OS X 10.8..10.8.3 advertises support for
     several ECDHE-ECDSA ciphers, but fails to negotiate them.  The bug
     is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
     10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
     [Rob Stradling, Adam Langley]

 Changes between 1.0.1d and 1.0.1e [11 Feb 2013]

  *) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
     supporting platforms or when small records were transferred.
     [Andy Polyakov, Steve Henson]

 Changes between 1.0.1c and 1.0.1d [5 Feb 2013]

  *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.

     This addresses the flaw in CBC record processing discovered by 
     Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
     at: http://www.isg.rhul.ac.uk/tls/     

     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
     Security Group at Royal Holloway, University of London
     (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
Commit	Line	Data
81a6c781	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
ebe22194 DSH	5	Changes between 1.0.1g and 1.0.1h [xx XXX xxxx]
ebe22194 DSH	6
e622237d	7	*) Harmonize version and its documentation. -f flag is used to display
	8	compilation flags.
	9	[mancha <mancha1@zoho.com>]
	10
f0816174	11	*) Fix eckey_priv_encode so it immediately returns an error upon a failure
	12	in i2d_ECPrivateKey.
	13	[mancha <mancha1@zoho.com>]
	14
9c8dc84a BL	15	*) Fix some double frees. These are not thought to be exploitable.
9c8dc84a BL	16	[mancha <mancha1@zoho.com>]
ebe22194	17
b2d951e4	18	Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
a7304e4b	19
96db9023 DSH	20	*) A missing bounds check in the handling of the TLS heartbeat extension
	21	can be used to reveal up to 64k of memory to a connected client or
	22	server.
	23
	24	Thanks for Neel Mehta of Google Security for discovering this bug and to
	25	Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
	26	preparing the fix (CVE-2014-0160)
	27	[Adam Langley, Bodo Moeller]
	28
4b7a4ba2 DSH	29	*) Fix for the attack described in the paper "Recovering OpenSSL
	30	ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
	31	by Yuval Yarom and Naomi Benger. Details can be obtained from:
	32	http://eprint.iacr.org/2014/140
	33
	34	Thanks to Yuval Yarom and Naomi Benger for discovering this
	35	flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
	36	[Yuval Yarom and Naomi Benger]
	37
51624dbd	38	*) TLS pad extension: draft-agl-tls-padding-03
4a55631e DSH	39
	40	Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
	41	TLS client Hello record length value would otherwise be > 255 and
	42	less that 512 pad with a dummy extension containing zeroes so it
	43	is at least 512 bytes long.
	44
4a55631e	45	[Adam Langley, Steve Henson]
a7304e4b	46
0d877634	47	Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
3151e328	48
197e0ea8 DSH	49	*) Fix for TLS record tampering bug. A carefully crafted invalid
	50	handshake could crash OpenSSL with a NULL pointer exception.
	51	Thanks to Anton Johansson for reporting this issues.
	52	(CVE-2013-4353)
	53
34628967 DSH	54	*) Keep original DTLS digest and encryption contexts in retransmission
	55	structures so we can use the previous session parameters if they need
	56	to be resent. (CVE-2013-6450)
	57	[Steve Henson]
	58
13bca90a RS	59	*) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
	60	avoids preferring ECDHE-ECDSA ciphers when the client appears to be
	61	Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for
	62	several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
	63	is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
	64	10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
	65	[Rob Stradling, Adam Langley]
3151e328	66
f66db68e	67	Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
41cf07f0	68
625a5532 DSH	69	*) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
	70	supporting platforms or when small records were transferred.
	71	[Andy Polyakov, Steve Henson]
41cf07f0	72
df0d9356	73	Changes between 1.0.1c and 1.0.1d [5 Feb 2013]
d9c34505	74
df0d9356	75	*) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
f1ca56a6 DSH	76
	77	This addresses the flaw in CBC record processing discovered by
	78	Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
	79	at: http://www.isg.rhul.ac.uk/tls/
	80
	81	Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
	82	Security Group at Royal Holloway, University of London
	83	(www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
	84