]>
Commit | Line | Data |
---|---|---|
81a6c781 | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
049615e3 DSH |
5 | Changes between 1.0.1h and 1.0.1i [xx XXX xxxx] |
6 | ||
281720c2 BM |
7 | *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) |
8 | for corner cases. (Certain input points at infinity could lead to | |
9 | bogus results, with non-infinity inputs mapped to infinity too.) | |
10 | [Bodo Moeller] | |
049615e3 | 11 | |
6b72417a | 12 | Changes between 1.0.1g and 1.0.1h [5 Jun 2014] |
ebe22194 | 13 | |
aabbe99f DSH |
14 | *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted |
15 | handshake can force the use of weak keying material in OpenSSL | |
16 | SSL/TLS clients and servers. | |
17 | ||
18 | Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and | |
19 | researching this issue. (CVE-2014-0224) | |
20 | [KIKUCHI Masashi, Steve Henson] | |
21 | ||
22 | *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an | |
23 | OpenSSL DTLS client the code can be made to recurse eventually crashing | |
24 | in a DoS attack. | |
25 | ||
26 | Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. | |
27 | (CVE-2014-0221) | |
28 | [Imre Rad, Steve Henson] | |
29 | ||
30 | *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can | |
31 | be triggered by sending invalid DTLS fragments to an OpenSSL DTLS | |
32 | client or server. This is potentially exploitable to run arbitrary | |
33 | code on a vulnerable client or server. | |
34 | ||
35 |