projects / thirdparty / openssl.git / blame
| Commit | Line | Data |
|---|---|---|
| 81a6c781 | 1 | |
| f1c236f8 | 2 | OpenSSL CHANGES |
| 651d0aff RE |
3 | _______________ |
| 4 | ||
| 049615e3 DSH |
5 | Changes between 1.0.1h and 1.0.1i [xx XXX xxxx] |
| 6 | ||
| 281720c2 BM |
7 | *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) |
| 8 | for corner cases. (Certain input points at infinity could lead to | |
| 9 | bogus results, with non-infinity inputs mapped to infinity too.) | |
| 10 | [Bodo Moeller] | |
| 049615e3 | 11 | |
| 6b72417a | 12 | Changes between 1.0.1g and 1.0.1h [5 Jun 2014] |
| ebe22194 | 13 | |
| aabbe99f DSH |
14 | *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted |
| 15 | handshake can force the use of weak keying material in OpenSSL | |
| 16 | SSL/TLS clients and servers. | |
| 17 | ||
| 18 | Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and | |
| 19 | researching this issue. (CVE-2014-0224) | |
| 20 | [KIKUCHI Masashi, Steve Henson] | |
| 21 | ||
| 22 | *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an | |
| 23 | OpenSSL DTLS client the code can be made to recurse eventually crashing | |
| 24 | in a DoS attack. | |
| 25 | ||
| 26 | Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. | |
| 27 | (CVE-2014-0221) | |
| 28 | [Imre Rad, Steve Henson] | |
| 29 | ||
| 30 | *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can | |
| 31 | be triggered by sending invalid DTLS fragments to an OpenSSL DTLS | |
| 32 | client or server. This is potentially exploitable to run arbitrary | |
| 33 | code on a vulnerable client or server. | |
| 34 | ||
| 35 |