]>
Commit | Line | Data |
---|---|---|
5f8e6c50 DMSP |
1 | NEWS |
2 | ==== | |
3 | ||
4 | This file gives a brief overview of the major changes between each OpenSSL | |
5 | release. For more details please read the CHANGES file. | |
6 | ||
4477beac DMSP |
7 | OpenSSL Releases |
8 | ---------------- | |
9 | ||
10 | - [OpenSSL 3.0](#openssl-30) | |
11 | - [OpenSSL 1.1.1](#openssl-111) | |
12 | - [OpenSSL 1.1.0](#openssl-110) | |
13 | - [OpenSSL 1.0.2](#openssl-102) | |
14 | - [OpenSSL 1.0.1](#openssl-101) | |
15 | - [OpenSSL 1.0.0](#openssl-100) | |
16 | - [OpenSSL 0.9.x](#openssl-09x) | |
17 | ||
18 | OpenSSL 3.0 | |
19 | ----------- | |
20 | ||
c2db6839 | 21 | ### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0 [under development] |
4477beac | 22 | |
eca47139 | 23 | * Interactive mode is removed from the 'openssl' program. |
19985ac4 P |
24 | * The X25519, X448, Ed25519, Ed448 and SHAKE256 algorithms are included in |
25 | the FIPS provider. None have the "fips=yes" property set and, as such, | |
26 | will not be accidentially used. | |
4477beac DMSP |
27 | * The algorithm specific public key command line applications have |
28 | been deprecated. These include dhparam, gendsa and others. The pkey | |
29 | alternatives should be used intead: pkey, pkeyparam and genpkey. | |
30 | * X509 certificates signed using SHA1 are no longer allowed at security | |
31 | level 1 or higher. The default security level for TLS is 1, so | |
32 | certificates signed using SHA1 are by default no longer trusted to | |
33 | authenticate servers or clients. | |
5f8e6c50 DMSP |
34 | * enable-crypto-mdebug and enable-crypto-mdebug-backtrace were mostly |
35 | disabled; the project uses address sanitize/leak-detect instead. | |
e7774c28 DDO |
36 | * Added a Certificate Management Protocol (CMP, RFC 4210) implementation |
37 | also covering CRMF (RFC 4211) and HTTP transfer (RFC 6712). | |
8d9a4d83 | 38 | It is part of the crypto lib and adds a 'cmp' app with a demo configuration. |
e7774c28 DDO |
39 | All widely used CMP features are supported for both clients and servers. |
40 | * Added a proper HTTP(S) client to libcrypto supporting GET and POST, | |
41 | redirection, plain and ASN.1-encoded contents, proxies, and timeouts. | |
5f8e6c50 | 42 | * Added OSSL_SERIALIZER, a generic serializer API. |
be19d3ca | 43 | * Added OSSL_PARAM_BLD, an easier to use API to OSSL_PARAM. |
5f8e6c50 DMSP |
44 | * Added error raising macros, ERR_raise() and ERR_raise_data(). |
45 | * Deprecated ERR_put_error(). | |
46 | * Added OSSL_PROVIDER_available(), to check provider availibility. | |
47 | * Added 'openssl mac' that uses the EVP_MAC API. | |
48 | * Added 'openssl kdf' that uses the EVP_KDF API. | |
49 | * Add OPENSSL_info() and 'openssl info' to get built-in data. | |
50 | * Add support for enabling instrumentation through trace and debug | |
51 | output. | |
52 | * Changed our version number scheme and set the next major release to | |
53 | 3.0.0 | |
54 | * Added EVP_MAC, an EVP layer MAC API, and a generic EVP_PKEY to EVP_MAC | |
55 | bridge. | |
56 | * Removed the heartbeat message in DTLS feature. | |
57 | * Added EVP_KDF, an EVP layer KDF API, and a generic EVP_PKEY to EVP_KDF | |
58 | bridge. | |
4477beac DMSP |
59 | * All of the low level MD2, MD4, MD5, MDC2, RIPEMD160, SHA1, SHA224, |
60 | SHA256, SHA384, SHA512 and Whirlpool digest functions have been | |
61 | deprecated. | |
62 | * All of the low level AES, Blowfish, Camellia, CAST, DES, IDEA, RC2, | |
63 | RC4, RC5 and SEED cipher functions have been deprecated. | |
64 | * All of the low level DH, DSA, ECDH, ECDSA and RSA public key functions | |
65 | have been deprecated. | |
66 | ||
67 | OpenSSL 1.1.1 | |
68 | ------------- | |
69 | ||
257e9d03 | 70 | ### Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [under development] |
8658fedd | 71 | |
257e9d03 | 72 | * |
8658fedd | 73 | |
257e9d03 | 74 | ### Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [17 Mar 2020] |
8658fedd DMSP |
75 | |
76 | * Fixed an overflow bug in the x64_64 Montgomery squaring procedure | |
77 | used in exponentiation with 512-bit moduli ([CVE-2019-1551][]) | |
78 | ||
257e9d03 | 79 | ### Major changes between OpenSSL 1.1.1c and OpenSSL 1.1.1d [10 Sep 2019] |
4477beac DMSP |
80 | |
81 | * Fixed a fork protection issue ([CVE-2019-1549][]) | |
82 | * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey | |
83 | ([CVE-2019-1563][]) | |
84 | * For built-in EC curves, ensure an EC_GROUP built from the curve name is | |
85 | used even when parsing explicit parameters | |
86 | * Compute ECC cofactors if not provided during EC_GROUP construction | |
87 | ([CVE-2019-1547][]) | |
88 | * Early start up entropy quality from the DEVRANDOM seed source has been | |
89 | improved for older Linux systems | |
90 | * Correct the extended master secret constant on EBCDIC systems | |
91 | * Use Windows installation paths in the mingw builds ([CVE-2019-1552][]) | |
92 | * Changed DH_check to accept parameters with order q and 2q subgroups | |
93 | * Significantly reduce secure memory usage by the randomness pools | |
94 | * Revert the DEVRANDOM_WAIT feature for Linux systems | |
95 | ||
257e9d03 | 96 | ### Major changes between OpenSSL 1.1.1b and OpenSSL 1.1.1c [28 May 2019] |
4477beac DMSP |
97 | |
98 | * Prevent over long nonces in ChaCha20-Poly1305 ([CVE-2019-1543][]) | |
99 | ||
257e9d03 | 100 | ### Major changes between OpenSSL 1.1.1a and OpenSSL 1.1.1b [26 Feb 2019] |
4477beac DMSP |
101 | |
102 | * Change the info callback signals for the start and end of a post-handshake | |
103 | message exchange in TLSv1.3. | |
104 | * Fix a bug in DTLS over SCTP. This breaks interoperability with older | |
105 | versions of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. | |
5f8e6c50 | 106 | |
257e9d03 | 107 | ### Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018] |
5f8e6c50 | 108 | |
4477beac DMSP |
109 | * Timing vulnerability in DSA signature generation ([CVE-2018-0734][]) |
110 | * Timing vulnerability in ECDSA signature generation ([CVE-2018-0735][]) | |
5f8e6c50 | 111 | |
257e9d03 | 112 | ### Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.1 [11 Sep 2018] |
5f8e6c50 | 113 | |
4477beac | 114 | * Support for TLSv1.3 added. The TLSv1.3 implementation includes: |
257e9d03 RS |
115 | * Fully compliant implementation of RFC8446 (TLSv1.3) on by default |
116 | * Early data (0-RTT) | |
117 | * Post-handshake authentication and key update | |
118 | * Middlebox Compatibility Mode | |
119 | * TLSv1.3 PSKs | |
120 | * Support for all five RFC8446 ciphersuites | |
121 | * RSA-PSS signature algorithms (backported to TLSv1.2) | |
122 | * Configurable session ticket support | |
123 | * Stateless server support | |
124 | * Rewrite of the packet construction code for "safer" packet handling | |
125 | * Rewrite of the extension handling code | |
4477beac DMSP |
126 | For further important information, see the [TLS1.3 page]( |
127 | https://wiki.openssl.org/index.php/TLS1.3) in the OpenSSL Wiki. | |
128 | ||
5f8e6c50 DMSP |
129 | * Complete rewrite of the OpenSSL random number generator to introduce the |
130 | following capabilities | |
131 | * The default RAND method now utilizes an AES-CTR DRBG according to | |
132 | NIST standard SP 800-90Ar1. | |
133 | * Support for multiple DRBG instances with seed chaining. | |
134 | * There is a public and private DRBG instance. | |
135 | * The DRBG instances are fork-safe. | |
136 | * Keep all global DRBG instances on the secure heap if it is enabled. | |
137 | * The public and private DRBG instance are per thread for lock free | |
138 | operation | |
139 | * Support for various new cryptographic algorithms including: | |
140 | * SHA3 | |
141 | * SHA512/224 and SHA512/256 | |
142 | * EdDSA (both Ed25519 and Ed448) including X509 and TLS support | |
143 | * X448 (adding to the existing X25519 support in 1.1.0) | |
144 | * Multi-prime RSA | |
145 | * SM2 | |
146 | * SM3 | |
147 | * SM4 | |
148 | * SipHash | |
149 | * ARIA (including TLS support) | |
150 | * Significant Side-Channel attack security improvements | |
151 | * Add a new ClientHello callback to provide the ability to adjust the SSL | |
152 | object at an early stage. | |
153 | * Add 'Maximum Fragment Length' TLS extension negotiation and support | |
154 | * A new STORE module, which implements a uniform and URI based reader of | |
155 | stores that can contain keys, certificates, CRLs and numerous other | |
156 | objects. | |
157 | * Move the display of configuration data to configdata.pm. | |
158 | * Allow GNU style "make variables" to be used with Configure. | |
159 | * Claim the namespaces OSSL and OPENSSL, represented as symbol prefixes | |
160 | * Rewrite of devcrypto engine | |
161 | ||
4477beac DMSP |
162 | OpenSSL 1.1.0 |
163 | ------------- | |
164 | ||
257e9d03 | 165 | ### Major changes between OpenSSL 1.1.0k and OpenSSL 1.1.0l [10 Sep 2019] |
4477beac DMSP |
166 | |
167 | * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey | |
168 | ([CVE-2019-1563][]) | |
169 | * For built-in EC curves, ensure an EC_GROUP built from the curve name is | |
170 | used even when parsing explicit parameters | |
171 | * Compute ECC cofactors if not provided during EC_GROUP construction | |
172 | ([CVE-2019-1547][]) | |
173 | * Use Windows installation paths in the mingw builds ([CVE-2019-1552][]) | |
174 | ||
257e9d03 | 175 | ### Major changes between OpenSSL 1.1.0j and OpenSSL 1.1.0k [28 May 2019] |
4477beac DMSP |
176 | |
177 | * Prevent over long nonces in ChaCha20-Poly1305 ([CVE-2019-1543][]) | |
178 | ||
257e9d03 | 179 | ### Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.0j [20 Nov 2018] |
4477beac DMSP |
180 | |
181 | * Timing vulnerability in DSA signature generation ([CVE-2018-0734][]) | |
182 | * Timing vulnerability in ECDSA signature generation ([CVE-2018-0735][]) | |
183 | ||
257e9d03 | 184 | ### Major changes between OpenSSL 1.1.0h and OpenSSL 1.1.0i [14 Aug 2018] |
5f8e6c50 | 185 | |
4477beac DMSP |
186 | * Client DoS due to large DH parameter ([CVE-2018-0732][]) |
187 | * Cache timing vulnerability in RSA Key Generation ([CVE-2018-0737][]) | |
188 | ||
257e9d03 | 189 | ### Major changes between OpenSSL 1.1.0g and OpenSSL 1.1.0h [27 Mar 2018] |
5f8e6c50 DMSP |
190 | |
191 | * Constructed ASN.1 types with a recursive definition could exceed the | |
4477beac DMSP |
192 | stack ([CVE-2018-0739][]) |
193 | * Incorrect CRYPTO_memcmp on HP-UX PA-RISC ([CVE-2018-0733][]) | |
194 | * rsaz_1024_mul_avx2 overflow bug on x86_64 ([CVE-2017-3738][]) | |
5f8e6c50 | 195 | |
257e9d03 | 196 | ### Major changes between OpenSSL 1.1.0f and OpenSSL 1.1.0g [2 Nov 2017] |
5f8e6c50 | 197 | |
4477beac DMSP |
198 | * bn_sqrx8x_internal carry bug on x86_64 ([CVE-2017-3736][]) |
199 | * Malformed X.509 IPAddressFamily could cause OOB read ([CVE-2017-3735][]) | |
5f8e6c50 | 200 | |
257e9d03 | 201 | ### Major changes between OpenSSL 1.1.0e and OpenSSL 1.1.0f [25 May 2017] |
5f8e6c50 DMSP |
202 | |
203 | * config now recognises 64-bit mingw and chooses mingw64 instead of mingw | |
204 | ||
257e9d03 | 205 | ### Major changes between OpenSSL 1.1.0d and OpenSSL 1.1.0e [16 Feb 2017] |
5f8e6c50 | 206 | |
4477beac | 207 | * Encrypt-Then-Mac renegotiation crash ([CVE-2017-3733][]) |
5f8e6c50 | 208 | |
257e9d03 | 209 | ### Major changes between OpenSSL 1.1.0c and OpenSSL 1.1.0d [26 Jan 2017] |
5f8e6c50 | 210 | |
4477beac DMSP |
211 | * Truncated packet could crash via OOB read ([CVE-2017-3731][]) |
212 | * Bad (EC)DHE parameters cause a client crash ([CVE-2017-3730][]) | |
213 | * BN_mod_exp may produce incorrect results on x86_64 ([CVE-2017-3732][]) | |
5f8e6c50 | 214 | |
257e9d03 | 215 | ### Major changes between OpenSSL 1.1.0b and OpenSSL 1.1.0c [10 Nov 2016] |
5f8e6c50 | 216 | |
4477beac DMSP |
217 | * ChaCha20/Poly1305 heap-buffer-overflow ([CVE-2016-7054][]) |
218 | * CMS Null dereference ([CVE-2016-7053][]) | |
219 | * Montgomery multiplication may produce incorrect results ([CVE-2016-7055][]) | |
5f8e6c50 | 220 | |
257e9d03 | 221 | ### Major changes between OpenSSL 1.1.0a and OpenSSL 1.1.0b [26 Sep 2016] |
5f8e6c50 | 222 | |
4477beac | 223 | * Fix Use After Free for large message sizes ([CVE-2016-6309][]) |
5f8e6c50 | 224 | |
257e9d03 | 225 | ### Major changes between OpenSSL 1.1.0 and OpenSSL 1.1.0a [22 Sep 2016] |
5f8e6c50 | 226 | |
4477beac DMSP |
227 | * OCSP Status Request extension unbounded memory growth ([CVE-2016-6304][]) |
228 | * SSL_peek() hang on empty record ([CVE-2016-6305][]) | |
5f8e6c50 | 229 | * Excessive allocation of memory in tls_get_message_header() |
4477beac | 230 | ([CVE-2016-6307][]) |
5f8e6c50 | 231 | * Excessive allocation of memory in dtls1_preprocess_fragment() |
4477beac | 232 | ([CVE-2016-6308][]) |
5f8e6c50 | 233 | |
257e9d03 | 234 | ### Major changes between OpenSSL 1.0.2h and OpenSSL 1.1.0 [25 Aug 2016] |
5f8e6c50 DMSP |
235 | |
236 | * Copyright text was shrunk to a boilerplate that points to the license | |
237 | * "shared" builds are now the default when possible | |
238 | * Added support for "pipelining" | |
239 | * Added the AFALG engine | |
240 | * New threading API implemented | |
241 | * Support for ChaCha20 and Poly1305 added to libcrypto and libssl | |
242 | * Support for extended master secret | |
243 | * CCM ciphersuites | |
244 | * Reworked test suite, now based on perl, Test::Harness and Test::More | |
245 | * *Most* libcrypto and libssl public structures were made opaque, | |
246 | including: | |
247 | BIGNUM and associated types, EC_KEY and EC_KEY_METHOD, | |
248 | DH and DH_METHOD, DSA and DSA_METHOD, RSA and RSA_METHOD, | |
249 | BIO and BIO_METHOD, EVP_MD_CTX, EVP_MD, EVP_CIPHER_CTX, | |
250 | EVP_CIPHER, EVP_PKEY and associated types, HMAC_CTX, | |
251 | X509, X509_CRL, X509_OBJECT, X509_STORE_CTX, X509_STORE, | |
252 | X509_LOOKUP, X509_LOOKUP_METHOD | |
253 | * libssl internal structures made opaque | |
254 | * SSLv2 support removed | |
255 | * Kerberos ciphersuite support removed | |
256 | * RC4 removed from DEFAULT ciphersuites in libssl | |
257 | * 40 and 56 bit cipher support removed from libssl | |
258 | * All public header files moved to include/openssl, no more symlinking | |
259 | * SSL/TLS state machine, version negotiation and record layer rewritten | |
260 | * EC revision: now operations use new EC_KEY_METHOD. | |
261 | * Support for OCB mode added to libcrypto | |
262 | * Support for asynchronous crypto operations added to libcrypto and libssl | |
263 | * Deprecated interfaces can now be disabled at build time either | |
264 | relative to the latest release via the "no-deprecated" Configure | |
265 | argument, or via the "--api=1.1.0|1.0.0|0.9.8" option. | |
266 | * Application software can be compiled with -DOPENSSL_API_COMPAT=version | |
267 | to ensure that features deprecated in that version are not exposed. | |
268 | * Support for RFC6698/RFC7671 DANE TLSA peer authentication | |
269 | * Change of Configure to use --prefix as the main installation | |
270 | directory location rather than --openssldir. The latter becomes | |
271 | the directory for certs, private key and openssl.cnf exclusively. | |
272 | * Reworked BIO networking library, with full support for IPv6. | |
273 | * New "unified" build system | |
274 | * New security levels | |
275 | * Support for scrypt algorithm | |
276 | * Support for X25519 | |
277 | * Extended SSL_CONF support using configuration files | |
278 | * KDF algorithm support. Implement TLS PRF as a KDF. | |
279 | * Support for Certificate Transparency | |
280 | * HKDF support. | |
281 | ||
4477beac DMSP |
282 | OpenSSL 1.0.2 |
283 | ------------- | |
284 | ||
257e9d03 | 285 | ### Major changes between OpenSSL 1.0.2s and OpenSSL 1.0.2t [10 Sep 2019] |
4477beac DMSP |
286 | |
287 | * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey | |
288 | ([CVE-2019-1563][]) | |
289 | * For built-in EC curves, ensure an EC_GROUP built from the curve name is | |
290 | used even when parsing explicit parameters | |
291 | * Compute ECC cofactors if not provided during EC_GROUP construction | |
292 | ([CVE-2019-1547][]) | |
293 | * Document issue with installation paths in diverse Windows builds | |
294 | ([CVE-2019-1552][]) | |
295 | ||
257e9d03 | 296 | ### Major changes between OpenSSL 1.0.2r and OpenSSL 1.0.2s [28 May 2019] |
4477beac DMSP |
297 | |
298 | * None | |
299 | ||
257e9d03 | 300 | ### Major changes between OpenSSL 1.0.2q and OpenSSL 1.0.2r [26 Feb 2019] |
4477beac DMSP |
301 | |
302 | * 0-byte record padding oracle ([CVE-2019-1559][]) | |
303 | ||
257e9d03 | 304 | ### Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [20 Nov 2018] |
4477beac DMSP |
305 | |
306 | * Microarchitecture timing vulnerability in ECC scalar multiplication ([CVE-2018-5407][]) | |
307 | * Timing vulnerability in DSA signature generation ([CVE-2018-0734][]) | |
308 | ||
257e9d03 | 309 | ### Major changes between OpenSSL 1.0.2o and OpenSSL 1.0.2p [14 Aug 2018] |
4477beac DMSP |
310 | |
311 | * Client DoS due to large DH parameter ([CVE-2018-0732][]) | |
312 | * Cache timing vulnerability in RSA Key Generation ([CVE-2018-0737][]) | |
313 | ||
257e9d03 | 314 | ### Major changes between OpenSSL 1.0.2n and OpenSSL 1.0.2o [27 Mar 2018] |
4477beac DMSP |
315 | |
316 | * Constructed ASN.1 types with a recursive definition could exceed the | |
317 | stack ([CVE-2018-0739][]) | |
318 | ||
257e9d03 | 319 | ### Major changes between OpenSSL 1.0.2m and OpenSSL 1.0.2n [7 Dec 2017] |
4477beac DMSP |
320 | |
321 | * Read/write after SSL object in error state ([CVE-2017-3737][]) | |
322 | * rsaz_1024_mul_avx2 overflow bug on x86_64 ([CVE-2017-3738][]) | |
323 | ||
257e9d03 | 324 | ### Major changes between OpenSSL 1.0.2l and OpenSSL 1.0.2m [2 Nov 2017] |
4477beac DMSP |
325 | |
326 | * bn_sqrx8x_internal carry bug on x86_64 ([CVE-2017-3736][]) | |
327 | * Malformed X.509 IPAddressFamily could cause OOB read ([CVE-2017-3735][]) | |
328 | ||
257e9d03 | 329 | ### Major changes between OpenSSL 1.0.2k and OpenSSL 1.0.2l [25 May 2017] |
4477beac DMSP |
330 | |
331 | * config now recognises 64-bit mingw and chooses mingw64 instead of mingw | |
332 | ||
257e9d03 | 333 | ### Major changes between OpenSSL 1.0.2j and OpenSSL 1.0.2k [26 Jan 2017] |
4477beac DMSP |
334 | |
335 | * Truncated packet could crash via OOB read ([CVE-2017-3731][]) | |
336 | * BN_mod_exp may produce incorrect results on x86_64 ([CVE-2017-3732][]) | |
337 | * Montgomery multiplication may produce incorrect results ([CVE-2016-7055][]) | |
338 | ||
257e9d03 | 339 | ### Major changes between OpenSSL 1.0.2i and OpenSSL 1.0.2j [26 Sep 2016] |
4477beac DMSP |
340 | |
341 | * Missing CRL sanity check ([CVE-2016-7052][]) | |
342 | ||
257e9d03 | 343 | ### Major changes between OpenSSL 1.0.2h and OpenSSL 1.0.2i [22 Sep 2016] |
4477beac DMSP |
344 | |
345 | * OCSP Status Request extension unbounded memory growth ([CVE-2016-6304][]) | |
346 | * SWEET32 Mitigation ([CVE-2016-2183][]) | |
347 | * OOB write in MDC2_Update() ([CVE-2016-6303][]) | |
348 | * Malformed SHA512 ticket DoS ([CVE-2016-6302][]) | |
349 | * OOB write in BN_bn2dec() ([CVE-2016-2182][]) | |
350 | * OOB read in TS_OBJ_print_bio() ([CVE-2016-2180][]) | |
351 | * Pointer arithmetic undefined behaviour ([CVE-2016-2177][]) | |
352 | * Constant time flag not preserved in DSA signing ([CVE-2016-2178][]) | |
353 | * DTLS buffered message DoS ([CVE-2016-2179][]) | |
354 | * DTLS replay protection DoS ([CVE-2016-2181][]) | |
355 | * Certificate message OOB reads ([CVE-2016-6306][]) | |
356 | ||
257e9d03 | 357 | ### Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016] |
4477beac DMSP |
358 | |
359 | * Prevent padding oracle in AES-NI CBC MAC check ([CVE-2016-2107][]) | |
360 | * Fix EVP_EncodeUpdate overflow ([CVE-2016-2105][]) | |
361 | * Fix EVP_EncryptUpdate overflow ([CVE-2016-2106][]) | |
362 | * Prevent ASN.1 BIO excessive memory allocation ([CVE-2016-2109][]) | |
363 | * EBCDIC overread ([CVE-2016-2176][]) | |
5f8e6c50 DMSP |
364 | * Modify behavior of ALPN to invoke callback after SNI/servername |
365 | callback, such that updates to the SSL_CTX affect ALPN. | |
366 | * Remove LOW from the DEFAULT cipher list. This removes singles DES from | |
367 | the default. | |
368 | * Only remove the SSLv2 methods with the no-ssl2-method option. | |
369 | ||
257e9d03 | 370 | ### Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016] |
5f8e6c50 DMSP |
371 | |
372 | * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. | |
373 | * Disable SSLv2 default build, default negotiation and weak ciphers | |
4477beac DMSP |
374 | ([CVE-2016-0800][]) |
375 | * Fix a double-free in DSA code ([CVE-2016-0705][]) | |
5f8e6c50 | 376 | * Disable SRP fake user seed to address a server memory leak |
4477beac | 377 | ([CVE-2016-0798][]) |
5f8e6c50 | 378 | * Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption |
4477beac DMSP |
379 | ([CVE-2016-0797][]) |
380 | * Fix memory issues in BIO_*printf functions ([CVE-2016-0799][]) | |
381 | * Fix side channel attack on modular exponentiation ([CVE-2016-0702][]) | |
5f8e6c50 | 382 | |
257e9d03 | 383 | ### Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016] |
5f8e6c50 | 384 | |
4477beac DMSP |
385 | * DH small subgroups ([CVE-2016-0701][]) |
386 | * SSLv2 doesn't block disabled ciphers ([CVE-2015-3197][]) | |
5f8e6c50 | 387 | |
257e9d03 | 388 | ### Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015] |
5f8e6c50 | 389 | |
4477beac DMSP |
390 | * BN_mod_exp may produce incorrect results on x86_64 ([CVE-2015-3193][]) |
391 | * Certificate verify crash with missing PSS parameter ([CVE-2015-3194][]) | |
392 | * X509_ATTRIBUTE memory leak ([CVE-2015-3195][]) | |
5f8e6c50 DMSP |
393 | * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs |
394 | * In DSA_generate_parameters_ex, if the provided seed is too short, | |
395 | return an error | |
396 | ||
257e9d03 | 397 | ### Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [9 Jul 2015] |
5f8e6c50 | 398 | |
4477beac DMSP |
399 | * Alternate chains certificate forgery ([CVE-2015-1793][]) |
400 | * Race condition handling PSK identify hint ([CVE-2015-3196][]) | |
5f8e6c50 | 401 | |
257e9d03 | 402 | ### Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015] |
5f8e6c50 DMSP |
403 | |
404 | * Fix HMAC ABI incompatibility | |
405 | ||
257e9d03 | 406 | ### Major changes between OpenSSL 1.0.2a and OpenSSL 1.0.2b [11 Jun 2015] |
4477beac DMSP |
407 | |
408 | * Malformed ECParameters causes infinite loop ([CVE-2015-1788][]) | |
409 | * Exploitable out-of-bounds read in X509_cmp_time ([CVE-2015-1789][]) | |
410 | * PKCS7 crash with missing EnvelopedContent ([CVE-2015-1790][]) | |
411 | * CMS verify infinite loop with unknown hash function ([CVE-2015-1792][]) | |
412 | * Race condition handling NewSessionTicket ([CVE-2015-1791][]) | |
413 | ||
257e9d03 | 414 | ### Major changes between OpenSSL 1.0.2 and OpenSSL 1.0.2a [19 Mar 2015] |
4477beac DMSP |
415 | |
416 | * OpenSSL 1.0.2 ClientHello sigalgs DoS fix ([CVE-2015-0291][]) | |
417 | * Multiblock corrupted pointer fix ([CVE-2015-0290][]) | |
418 | * Segmentation fault in DTLSv1_listen fix ([CVE-2015-0207][]) | |
419 | * Segmentation fault in ASN1_TYPE_cmp fix ([CVE-2015-0286][]) | |
420 | * Segmentation fault for invalid PSS parameters fix ([CVE-2015-0208][]) | |
421 | * ASN.1 structure reuse memory corruption fix ([CVE-2015-0287][]) | |
422 | * PKCS7 NULL pointer dereferences fix ([CVE-2015-0289][]) | |
423 | * DoS via reachable assert in SSLv2 servers fix ([CVE-2015-0293][]) | |
424 | * Empty CKE with client auth and DHE fix ([CVE-2015-1787][]) | |
425 | * Handshake with unseeded PRNG fix ([CVE-2015-0285][]) | |
426 | * Use After Free following d2i_ECPrivatekey error fix ([CVE-2015-0209][]) | |
427 | * X509_to_X509_REQ NULL pointer deref fix ([CVE-2015-0288][]) | |
5f8e6c50 DMSP |
428 | * Removed the export ciphers from the DEFAULT ciphers |
429 | ||
257e9d03 | 430 | ### Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.2 [22 Jan 2015] |
5f8e6c50 DMSP |
431 | |
432 | * Suite B support for TLS 1.2 and DTLS 1.2 | |
433 | * Support for DTLS 1.2 | |
434 | * TLS automatic EC curve selection. | |
435 | * API to set TLS supported signature algorithms and curves | |
436 | * SSL_CONF configuration API. | |
437 | * TLS Brainpool support. | |
438 | * ALPN support. | |
439 | * CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH. | |
440 | ||
4477beac DMSP |
441 | OpenSSL 1.0.1 |
442 | ------------- | |
443 | ||
257e9d03 | 444 | ### Major changes between OpenSSL 1.0.1t and OpenSSL 1.0.1u [22 Sep 2016] |
4477beac DMSP |
445 | |
446 | * OCSP Status Request extension unbounded memory growth ([CVE-2016-6304][]) | |
447 | * SWEET32 Mitigation ([CVE-2016-2183][]) | |
448 | * OOB write in MDC2_Update() ([CVE-2016-6303][]) | |
449 | * Malformed SHA512 ticket DoS ([CVE-2016-6302][]) | |
450 | * OOB write in BN_bn2dec() ([CVE-2016-2182][]) | |
451 | * OOB read in TS_OBJ_print_bio() ([CVE-2016-2180][]) | |
452 | * Pointer arithmetic undefined behaviour ([CVE-2016-2177][]) | |
453 | * Constant time flag not preserved in DSA signing ([CVE-2016-2178][]) | |
454 | * DTLS buffered message DoS ([CVE-2016-2179][]) | |
455 | * DTLS replay protection DoS ([CVE-2016-2181][]) | |
456 | * Certificate message OOB reads ([CVE-2016-6306][]) | |
457 | ||
257e9d03 | 458 | ### Major changes between OpenSSL 1.0.1s and OpenSSL 1.0.1t [3 May 2016] |
4477beac DMSP |
459 | |
460 | * Prevent padding oracle in AES-NI CBC MAC check ([CVE-2016-2107][]) | |
461 | * Fix EVP_EncodeUpdate overflow ([CVE-2016-2105][]) | |
462 | * Fix EVP_EncryptUpdate overflow ([CVE-2016-2106][]) | |
463 | * Prevent ASN.1 BIO excessive memory allocation ([CVE-2016-2109][]) | |
464 | * EBCDIC overread ([CVE-2016-2176][]) | |
465 | * Modify behavior of ALPN to invoke callback after SNI/servername | |
466 | callback, such that updates to the SSL_CTX affect ALPN. | |
467 | * Remove LOW from the DEFAULT cipher list. This removes singles DES from | |
468 | the default. | |
469 | * Only remove the SSLv2 methods with the no-ssl2-method option. | |
470 | ||
257e9d03 | 471 | ### Major changes between OpenSSL 1.0.1r and OpenSSL 1.0.1s [1 Mar 2016] |
4477beac DMSP |
472 | |
473 | * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. | |
474 | * Disable SSLv2 default build, default negotiation and weak ciphers | |
475 | ([CVE-2016-0800][]) | |
476 | * Fix a double-free in DSA code ([CVE-2016-0705][]) | |
477 | * Disable SRP fake user seed to address a server memory leak | |
478 | ([CVE-2016-0798][]) | |
479 | * Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption | |
480 | ([CVE-2016-0797][]) | |
481 | * Fix memory issues in BIO_*printf functions ([CVE-2016-0799][]) | |
482 | * Fix side channel attack on modular exponentiation ([CVE-2016-0702][]) | |
483 | ||
257e9d03 | 484 | ### Major changes between OpenSSL 1.0.1q and OpenSSL 1.0.1r [28 Jan 2016] |
4477beac DMSP |
485 | |
486 | * Protection for DH small subgroup attacks | |
487 | * SSLv2 doesn't block disabled ciphers ([CVE-2015-3197][]) | |
488 | ||
257e9d03 | 489 | ### Major changes between OpenSSL 1.0.1p and OpenSSL 1.0.1q [3 Dec 2015] |
4477beac DMSP |
490 | |
491 | * Certificate verify crash with missing PSS parameter ([CVE-2015-3194][]) | |
492 | * X509_ATTRIBUTE memory leak ([CVE-2015-3195][]) | |
493 | * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs | |
494 | * In DSA_generate_parameters_ex, if the provided seed is too short, | |
495 | return an error | |
496 | ||
257e9d03 | 497 | ### Major changes between OpenSSL 1.0.1o and OpenSSL 1.0.1p [9 Jul 2015] |
4477beac DMSP |
498 | |
499 | * Alternate chains certificate forgery ([CVE-2015-1793][]) | |
500 | * Race condition handling PSK identify hint ([CVE-2015-3196][]) | |
501 | ||
257e9d03 | 502 | ### Major changes between OpenSSL 1.0.1n and OpenSSL 1.0.1o [12 Jun 2015] |
4477beac DMSP |
503 | |
504 | * Fix HMAC ABI incompatibility | |
505 | ||
257e9d03 | 506 | ### Major changes between OpenSSL 1.0.1m and OpenSSL 1.0.1n [11 Jun 2015] |
4477beac DMSP |
507 | |
508 | * Malformed ECParameters causes infinite loop ([CVE-2015-1788][]) | |
509 | * Exploitable out-of-bounds read in X509_cmp_time ([CVE-2015-1789][]) | |
510 | * PKCS7 crash with missing EnvelopedContent ([CVE-2015-1790][]) | |
511 | * CMS verify infinite loop with unknown hash function ([CVE-2015-1792][]) | |
512 | * Race condition handling NewSessionTicket ([CVE-2015-1791][]) | |
513 | ||
257e9d03 | 514 | ### Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.1m [19 Mar 2015] |
4477beac DMSP |
515 | |
516 | * Segmentation fault in ASN1_TYPE_cmp fix ([CVE-2015-0286][]) | |
517 | * ASN.1 structure reuse memory corruption fix ([CVE-2015-0287][]) | |
518 | * PKCS7 NULL pointer dereferences fix ([CVE-2015-0289][]) | |
519 | * DoS via reachable assert in SSLv2 servers fix ([CVE-2015-0293][]) | |
520 | * Use After Free following d2i_ECPrivatekey error fix ([CVE-2015-0209][]) | |
521 | * X509_to_X509_REQ NULL pointer deref fix ([CVE-2015-0288][]) | |
522 | * Removed the export ciphers from the DEFAULT ciphers | |
523 | ||
257e9d03 | 524 | ### Major changes between OpenSSL 1.0.1k and OpenSSL 1.0.1l [15 Jan 2015] |
5f8e6c50 DMSP |
525 | |
526 | * Build fixes for the Windows and OpenVMS platforms | |
527 | ||
257e9d03 | 528 | ### Major changes between OpenSSL 1.0.1j and OpenSSL 1.0.1k [8 Jan 2015] |
4477beac DMSP |
529 | |
530 | * Fix for [CVE-2014-3571][] | |
531 | * Fix for [CVE-2015-0206][] | |
532 | * Fix for [CVE-2014-3569][] | |
533 | * Fix for [CVE-2014-3572][] | |
534 | * Fix for [CVE-2015-0204][] | |
535 | * Fix for [CVE-2015-0205][] | |
536 | * Fix for [CVE-2014-8275][] | |
537 | * Fix for [CVE-2014-3570][] | |
538 | ||
257e9d03 | 539 | ### Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014] |
4477beac DMSP |
540 | |
541 | * Fix for [CVE-2014-3513][] | |
542 | * Fix for [CVE-2014-3567][] | |
543 | * Mitigation for [CVE-2014-3566][] (SSL protocol vulnerability) | |
544 | * Fix for [CVE-2014-3568][] | |
545 | ||
257e9d03 | 546 | ### Major changes between OpenSSL 1.0.1h and OpenSSL 1.0.1i [6 Aug 2014] |
4477beac DMSP |
547 | |
548 | * Fix for [CVE-2014-3512][] | |
549 | * Fix for [CVE-2014-3511][] | |
550 | * Fix for [CVE-2014-3510][] | |
551 | * Fix for [CVE-2014-3507][] | |
552 | * Fix for [CVE-2014-3506][] | |
553 | * Fix for [CVE-2014-3505][] | |
554 | * Fix for [CVE-2014-3509][] | |
555 | * Fix for [CVE-2014-5139][] | |
556 | * Fix for [CVE-2014-3508][] | |
557 | ||
257e9d03 | 558 | ### Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014] |
4477beac DMSP |
559 | |
560 | * Fix for [CVE-2014-0224][] | |
561 | * Fix for [CVE-2014-0221][] | |
562 | * Fix for [CVE-2014-0198][] | |
563 | * Fix for [CVE-2014-0195][] | |
564 | * Fix for [CVE-2014-3470][] | |
565 | * Fix for [CVE-2010-5298][] | |
566 | ||
257e9d03 | 567 | ### Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014] |
4477beac DMSP |
568 | |
569 | * Fix for [CVE-2014-0160][] | |
5f8e6c50 | 570 | * Add TLS padding extension workaround for broken servers. |
4477beac | 571 | * Fix for [CVE-2014-0076][] |
5f8e6c50 | 572 | |
257e9d03 | 573 | ### Major changes between OpenSSL 1.0.1e and OpenSSL 1.0.1f [6 Jan 2014] |
5f8e6c50 DMSP |
574 | |
575 | * Don't include gmt_unix_time in TLS server and client random values | |
4477beac DMSP |
576 | * Fix for TLS record tampering bug [CVE-2013-4353][] |
577 | * Fix for TLS version checking bug [CVE-2013-6449][] | |
578 | * Fix for DTLS retransmission bug [CVE-2013-6450][] | |
5f8e6c50 | 579 | |
257e9d03 | 580 | ### Major changes between OpenSSL 1.0.1d and OpenSSL 1.0.1e [11 Feb 2013] |
5f8e6c50 | 581 | |
4477beac | 582 | * Corrected fix for [CVE-2013-0169][] |
5f8e6c50 | 583 | |
257e9d03 | 584 | ### Major changes between OpenSSL 1.0.1c and OpenSSL 1.0.1d [4 Feb 2013] |
5f8e6c50 DMSP |
585 | |
586 | * Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version. | |
587 | * Include the fips configuration module. | |
4477beac DMSP |
588 | * Fix OCSP bad key DoS attack [CVE-2013-0166][] |
589 | * Fix for SSL/TLS/DTLS CBC plaintext recovery attack [CVE-2013-0169][] | |
590 | * Fix for TLS AESNI record handling flaw [CVE-2012-2686][] | |
5f8e6c50 | 591 | |
257e9d03 | 592 | ### Major changes between OpenSSL 1.0.1b and OpenSSL 1.0.1c [10 May 2012] |
5f8e6c50 | 593 | |
4477beac | 594 | * Fix TLS/DTLS record length checking bug [CVE-2012-2333][] |
5f8e6c50 DMSP |
595 | * Don't attempt to use non-FIPS composite ciphers in FIPS mode. |
596 | ||
257e9d03 | 597 | ### Major changes between OpenSSL 1.0.1a and OpenSSL 1.0.1b [26 Apr 2012] |
5f8e6c50 DMSP |
598 | |
599 | * Fix compilation error on non-x86 platforms. | |
600 | * Make FIPS capable OpenSSL ciphers work in non-FIPS mode. | |
601 | * Fix SSL_OP_NO_TLSv1_1 clash with SSL_OP_ALL in OpenSSL 1.0.0 | |
602 | ||
257e9d03 | 603 | ### Major changes between OpenSSL 1.0.1 and OpenSSL 1.0.1a [19 Apr 2012] |
5f8e6c50 | 604 | |
4477beac | 605 | * Fix for ASN1 overflow bug [CVE-2012-2110][] |
5f8e6c50 DMSP |
606 | * Workarounds for some servers that hang on long client hellos. |
607 | * Fix SEGV in AES code. | |
608 | ||
257e9d03 | 609 | ### Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012] |
5f8e6c50 DMSP |
610 | |
611 | * TLS/DTLS heartbeat support. | |
612 | * SCTP support. | |
613 | * RFC 5705 TLS key material exporter. | |
614 | * RFC 5764 DTLS-SRTP negotiation. | |
615 | * Next Protocol Negotiation. | |
616 | * PSS signatures in certificates, requests and CRLs. | |
617 | * Support for password based recipient info for CMS. | |
618 | * Support TLS v1.2 and TLS v1.1. | |
619 | * Preliminary FIPS capability for unvalidated 2.0 FIPS module. | |
620 | * SRP support. | |
621 | ||
4477beac DMSP |
622 | OpenSSL 1.0.0 |
623 | ------------- | |
624 | ||
257e9d03 | 625 | ### Major changes between OpenSSL 1.0.0s and OpenSSL 1.0.0t [3 Dec 2015] |
4477beac DMSP |
626 | |
627 | * X509_ATTRIBUTE memory leak ([CVE-2015-3195][]) | |
628 | * Race condition handling PSK identify hint ([CVE-2015-3196][]) | |
629 | ||
257e9d03 | 630 | ### Major changes between OpenSSL 1.0.0r and OpenSSL 1.0.0s [11 Jun 2015] |
4477beac DMSP |
631 | |
632 | * Malformed ECParameters causes infinite loop ([CVE-2015-1788][]) | |
633 | * Exploitable out-of-bounds read in X509_cmp_time ([CVE-2015-1789][]) | |
634 | * PKCS7 crash with missing EnvelopedContent ([CVE-2015-1790][]) | |
635 | * CMS verify infinite loop with unknown hash function ([CVE-2015-1792][]) | |
636 | * Race condition handling NewSessionTicket ([CVE-2015-1791][]) | |
637 | ||
257e9d03 | 638 | ### Major changes between OpenSSL 1.0.0q and OpenSSL 1.0.0r [19 Mar 2015] |
4477beac DMSP |
639 | |
640 | * Segmentation fault in ASN1_TYPE_cmp fix ([CVE-2015-0286][]) | |
641 | * ASN.1 structure reuse memory corruption fix ([CVE-2015-0287][]) | |
642 | * PKCS7 NULL pointer dereferences fix ([CVE-2015-0289][]) | |
643 | * DoS via reachable assert in SSLv2 servers fix ([CVE-2015-0293][]) | |
644 | * Use After Free following d2i_ECPrivatekey error fix ([CVE-2015-0209][]) | |
645 | * X509_to_X509_REQ NULL pointer deref fix ([CVE-2015-0288][]) | |
646 | * Removed the export ciphers from the DEFAULT ciphers | |
647 | ||
257e9d03 | 648 | ### Major changes between OpenSSL 1.0.0p and OpenSSL 1.0.0q [15 Jan 2015] |
4477beac DMSP |
649 | |
650 | * Build fixes for the Windows and OpenVMS platforms | |
651 | ||
257e9d03 | 652 | ### Major changes between OpenSSL 1.0.0o and OpenSSL 1.0.0p [8 Jan 2015] |
4477beac DMSP |
653 | |
654 | * Fix for [CVE-2014-3571][] | |
655 | * Fix for [CVE-2015-0206][] | |
656 | * Fix for [CVE-2014-3569][] | |
657 | * Fix for [CVE-2014-3572][] | |
658 | * Fix for [CVE-2015-0204][] | |
659 | * Fix for [CVE-2015-0205][] | |
660 | * Fix for [CVE-2014-8275][] | |
661 | * Fix for [CVE-2014-3570][] | |
662 | ||
257e9d03 | 663 | ### Major changes between OpenSSL 1.0.0n and OpenSSL 1.0.0o [15 Oct 2014] |
4477beac DMSP |
664 | |
665 | * Fix for [CVE-2014-3513][] | |
666 | * Fix for [CVE-2014-3567][] | |
667 | * Mitigation for [CVE-2014-3566][] (SSL protocol vulnerability) | |
668 | * Fix for [CVE-2014-3568][] | |
669 | ||
257e9d03 | 670 | ### Major changes between OpenSSL 1.0.0m and OpenSSL 1.0.0n [6 Aug 2014] |
4477beac DMSP |
671 | |
672 | * Fix for [CVE-2014-3510][] | |
673 | * Fix for [CVE-2014-3507][] | |
674 | * Fix for [CVE-2014-3506][] | |
675 | * Fix for [CVE-2014-3505][] | |
676 | * Fix for [CVE-2014-3509][] | |
677 | * Fix for [CVE-2014-3508][] | |
678 | ||
679 | Known issues in OpenSSL 1.0.0m: | |
680 | ||
681 | * EAP-FAST and other applications using tls_session_secret_cb | |
682 | wont resume sessions. Fixed in 1.0.0n-dev | |
683 | * Compilation failure of s3_pkt.c on some platforms due to missing | |
257e9d03 | 684 | `<limits.h>` include. Fixed in 1.0.0n-dev |
4477beac | 685 | |
257e9d03 | 686 | ### Major changes between OpenSSL 1.0.0l and OpenSSL 1.0.0m [5 Jun 2014] |
4477beac DMSP |
687 | |
688 | * Fix for [CVE-2014-0224][] | |
689 | * Fix for [CVE-2014-0221][] | |
690 | * Fix for [CVE-2014-0198][] | |
691 | * Fix for [CVE-2014-0195][] | |
692 | * Fix for [CVE-2014-3470][] | |
693 | * Fix for [CVE-2014-0076][] | |
694 | * Fix for [CVE-2010-5298][] | |
695 | ||
257e9d03 | 696 | ### Major changes between OpenSSL 1.0.0k and OpenSSL 1.0.0l [6 Jan 2014] |
4477beac DMSP |
697 | |
698 | * Fix for DTLS retransmission bug [CVE-2013-6450][] | |
699 | ||
257e9d03 | 700 | ### Major changes between OpenSSL 1.0.0j and OpenSSL 1.0.0k [5 Feb 2013] |
4477beac DMSP |
701 | |
702 | * Fix for SSL/TLS/DTLS CBC plaintext recovery attack [CVE-2013-0169][] | |
703 | * Fix OCSP bad key DoS attack [CVE-2013-0166][] | |
704 | ||
257e9d03 | 705 | ### Major changes between OpenSSL 1.0.0i and OpenSSL 1.0.0j [10 May 2012] |
4477beac DMSP |
706 | |
707 | * Fix DTLS record length checking bug [CVE-2012-2333][] | |
708 | ||
257e9d03 | 709 | ### Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.0i [19 Apr 2012] |
4477beac DMSP |
710 | |
711 | * Fix for ASN1 overflow bug [CVE-2012-2110][] | |
712 | ||
257e9d03 | 713 | ### Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h [12 Mar 2012] |
4477beac DMSP |
714 | |
715 | * Fix for CMS/PKCS#7 MMA [CVE-2012-0884][] | |
716 | * Corrected fix for [CVE-2011-4619][] | |
5f8e6c50 DMSP |
717 | * Various DTLS fixes. |
718 | ||
257e9d03 | 719 | ### Major changes between OpenSSL 1.0.0f and OpenSSL 1.0.0g [18 Jan 2012] |
5f8e6c50 | 720 | |
4477beac | 721 | * Fix for DTLS DoS issue [CVE-2012-0050][] |
5f8e6c50 | 722 | |
257e9d03 | 723 | ### Major changes between OpenSSL 1.0.0e and OpenSSL 1.0.0f [4 Jan 2012] |
5f8e6c50 | 724 | |
4477beac DMSP |
725 | * Fix for DTLS plaintext recovery attack [CVE-2011-4108][] |
726 | * Clear block padding bytes of SSL 3.0 records [CVE-2011-4576][] | |
727 | * Only allow one SGC handshake restart for SSL/TLS [CVE-2011-4619][] | |
728 | * Check parameters are not NULL in GOST ENGINE [CVE-2012-0027][] | |
729 | * Check for malformed RFC3779 data [CVE-2011-4577][] | |
5f8e6c50 | 730 | |
257e9d03 | 731 | ### Major changes between OpenSSL 1.0.0d and OpenSSL 1.0.0e [6 Sep 2011] |
5f8e6c50 | 732 | |
4477beac DMSP |
733 | * Fix for CRL vulnerability issue [CVE-2011-3207][] |
734 | * Fix for ECDH crashes [CVE-2011-3210][] | |
5f8e6c50 DMSP |
735 | * Protection against EC timing attacks. |
736 | * Support ECDH ciphersuites for certificates using SHA2 algorithms. | |
737 | * Various DTLS fixes. | |
738 | ||
257e9d03 | 739 | ### Major changes between OpenSSL 1.0.0c and OpenSSL 1.0.0d [8 Feb 2011] |
5f8e6c50 | 740 | |
4477beac | 741 | * Fix for security issue [CVE-2011-0014][] |
367eab2f | 742 | |
257e9d03 | 743 | ### Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c [2 Dec 2010] |
5f8e6c50 | 744 | |
4477beac DMSP |
745 | * Fix for security issue [CVE-2010-4180][] |
746 | * Fix for [CVE-2010-4252][] | |
5f8e6c50 DMSP |
747 | * Fix mishandling of absent EC point format extension. |
748 | * Fix various platform compilation issues. | |
4477beac | 749 | * Corrected fix for security issue [CVE-2010-3864][]. |
5f8e6c50 | 750 | |
257e9d03 | 751 | ### Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b [16 Nov 2010] |
5f8e6c50 | 752 | |
4477beac DMSP |
753 | * Fix for security issue [CVE-2010-3864][]. |
754 | * Fix for [CVE-2010-2939][] | |
5f8e6c50 DMSP |
755 | * Fix WIN32 build system for GOST ENGINE. |
756 | ||
257e9d03 | 757 | ### Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a [1 Jun 2010] |
5f8e6c50 | 758 | |
4477beac | 759 | * Fix for security issue [CVE-2010-1633][]. |
5f8e6c50 DMSP |
760 | * GOST MAC and CFB fixes. |
761 | ||
257e9d03 | 762 | ### Major changes between OpenSSL 0.9.8n and OpenSSL 1.0.0 [29 Mar 2010] |
5f8e6c50 DMSP |
763 | |
764 | * RFC3280 path validation: sufficient to process PKITS tests. | |
765 | * Integrated support for PVK files and keyblobs. | |
766 | * Change default private key format to PKCS#8. | |
767 | * CMS support: able to process all examples in RFC4134 | |
768 | * Streaming ASN1 encode support for PKCS#7 and CMS. | |
769 | * Multiple signer and signer add support for PKCS#7 and CMS. | |
770 | * ASN1 printing support. | |
771 | * Whirlpool hash algorithm added. | |
772 | * RFC3161 time stamp support. | |
773 | * New generalised public key API supporting ENGINE based algorithms. | |
774 | * New generalised public key API utilities. | |
775 | * New ENGINE supporting GOST algorithms. | |
776 | * SSL/TLS GOST ciphersuite support. | |
777 | * PKCS#7 and CMS GOST support. | |
778 | * RFC4279 PSK ciphersuite support. | |
779 | * Supported points format extension for ECC ciphersuites. | |
780 | * ecdsa-with-SHA224/256/384/512 signature types. | |
781 | * dsa-with-SHA224 and dsa-with-SHA256 signature types. | |
782 | * Opaque PRF Input TLS extension support. | |
783 | * Updated time routines to avoid OS limitations. | |
784 | ||
4477beac DMSP |
785 | OpenSSL 0.9.x |
786 | ------------- | |
787 | ||
257e9d03 | 788 | ### Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n [24 Mar 2010] |
5f8e6c50 DMSP |
789 | |
790 | * CFB cipher definition fixes. | |
4477beac | 791 | * Fix security issues [CVE-2010-0740][] and [CVE-2010-0433][]. |
5f8e6c50 | 792 | |
257e9d03 | 793 | ### Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m [25 Feb 2010] |
5f8e6c50 DMSP |
794 | |
795 | * Cipher definition fixes. | |
796 | * Workaround for slow RAND_poll() on some WIN32 versions. | |
797 | * Remove MD2 from algorithm tables. | |
798 | * SPKAC handling fixes. | |
799 | * Support for RFC5746 TLS renegotiation extension. | |
800 | * Compression memory leak fixed. | |
801 | * Compression session resumption fixed. | |
802 | * Ticket and SNI coexistence fixes. | |
803 | * Many fixes to DTLS handling. | |
804 | ||
257e9d03 | 805 | ### Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l [5 Nov 2009] |
5f8e6c50 | 806 | |
4477beac | 807 | * Temporary work around for [CVE-2009-3555][]: disable renegotiation. |
5f8e6c50 | 808 | |
257e9d03 | 809 | ### Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k [25 Mar 2009] |
5f8e6c50 DMSP |
810 | |
811 | * Fix various build issues. | |
4477beac | 812 | * Fix security issues ([CVE-2009-0590][], [CVE-2009-0591][], [CVE-2009-0789][]) |
5f8e6c50 | 813 | |
257e9d03 | 814 | ### Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j [7 Jan 2009] |
5f8e6c50 | 815 | |
4477beac | 816 | * Fix security issue ([CVE-2008-5077][]) |
5f8e6c50 DMSP |
817 | * Merge FIPS 140-2 branch code. |
818 | ||
257e9d03 | 819 | ### Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h [28 May 2008] |
5f8e6c50 DMSP |
820 | |
821 | * CryptoAPI ENGINE support. | |
822 | * Various precautionary measures. | |
823 | * Fix for bugs affecting certificate request creation. | |
824 | * Support for local machine keyset attribute in PKCS#12 files. | |
825 | ||
257e9d03 | 826 | ### Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g [19 Oct 2007] |
5f8e6c50 DMSP |
827 | |
828 | * Backport of CMS functionality to 0.9.8. | |
829 | * Fixes for bugs introduced with 0.9.8f. | |
830 | ||
257e9d03 | 831 | ### Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f [11 Oct 2007] |
5f8e6c50 DMSP |
832 | |
833 | * Add gcc 4.2 support. | |
834 | * Add support for AES and SSE2 assembly language optimization | |
835 | for VC++ build. | |
836 | * Support for RFC4507bis and server name extensions if explicitly | |
837 | selected at compile time. | |
838 | * DTLS improvements. | |
839 | * RFC4507bis support. | |
840 | * TLS Extensions support. | |
841 | ||
257e9d03 | 842 | ### Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e [23 Feb 2007] |
5f8e6c50 DMSP |
843 | |
844 | * Various ciphersuite selection fixes. | |
845 | * RFC3779 support. | |
846 | ||
257e9d03 | 847 | ### Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d [28 Sep 2006] |
5f8e6c50 | 848 | |
4477beac DMSP |
849 | * Introduce limits to prevent malicious key DoS ([CVE-2006-2940][]) |
850 | * Fix security issues ([CVE-2006-2937][], [CVE-2006-3737][], [CVE-2006-4343][]) | |
5f8e6c50 DMSP |
851 | * Changes to ciphersuite selection algorithm |
852 | ||
257e9d03 | 853 | ### Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c [5 Sep 2006] |
5f8e6c50 | 854 | |
4477beac | 855 | * Fix Daniel Bleichenbacher forged signature attack, [CVE-2006-4339][] |
5f8e6c50 DMSP |
856 | * New cipher Camellia |
857 | ||
257e9d03 | 858 | ### Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b [4 May 2006] |
5f8e6c50 DMSP |
859 | |
860 | * Cipher string fixes. | |
861 | * Fixes for VC++ 2005. | |
862 | * Updated ECC cipher suite support. | |
863 | * New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free(). | |
864 | * Zlib compression usage fixes. | |
865 | * Built in dynamic engine compilation support on Win32. | |
866 | * Fixes auto dynamic engine loading in Win32. | |
867 | ||
257e9d03 | 868 | ### Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a [11 Oct 2005] |
5f8e6c50 | 869 | |
4477beac | 870 | * Fix potential SSL 2.0 rollback, [CVE-2005-2969][] |
5f8e6c50 DMSP |
871 | * Extended Windows CE support |
872 | ||
257e9d03 | 873 | ### Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8 [5 Jul 2005] |
5f8e6c50 DMSP |
874 | |
875 | * Major work on the BIGNUM library for higher efficiency and to | |
876 | make operations more streamlined and less contradictory. This | |
877 | is the result of a major audit of the BIGNUM library. | |
878 | * Addition of BIGNUM functions for fields GF(2^m) and NIST | |
879 | curves, to support the Elliptic Crypto functions. | |
880 | * Major work on Elliptic Crypto; ECDH and ECDSA added, including | |
881 | the use through EVP, X509 and ENGINE. | |
882 | * New ASN.1 mini-compiler that's usable through the OpenSSL | |
883 | configuration file. | |
884 | * Added support for ASN.1 indefinite length constructed encoding. | |
885 | * New PKCS#12 'medium level' API to manipulate PKCS#12 files. | |
886 | * Complete rework of shared library construction and linking | |
887 | programs with shared or static libraries, through a separate | |
888 | Makefile.shared. | |
889 | * Rework of the passing of parameters from one Makefile to another. | |
890 | * Changed ENGINE framework to load dynamic engine modules | |
891 | automatically from specifically given directories. | |
892 | * New structure and ASN.1 functions for CertificatePair. | |
893 | * Changed the ZLIB compression method to be stateful. | |
894 | * Changed the key-generation and primality testing "progress" | |
895 | mechanism to take a structure that contains the ticker | |
896 | function and an argument. | |
897 | * New engine module: GMP (performs private key exponentiation). | |
898 | * New engine module: VIA PadLOck ACE extension in VIA C3 | |
899 | Nehemiah processors. | |
900 | * Added support for IPv6 addresses in certificate extensions. | |
901 | See RFC 1884, section 2.2. | |
902 | * Added support for certificate policy mappings, policy | |
903 | constraints and name constraints. | |
904 | * Added support for multi-valued AVAs in the OpenSSL | |
905 | configuration file. | |
906 | * Added support for multiple certificates with the same subject | |
907 | in the 'openssl ca' index file. | |
908 | * Make it possible to create self-signed certificates using | |
909 | 'openssl ca -selfsign'. | |
910 | * Make it possible to generate a serial number file with | |
911 | 'openssl ca -create_serial'. | |
912 | * New binary search functions with extended functionality. | |
913 | * New BUF functions. | |
914 | * New STORE structure and library to provide an interface to all | |
915 | sorts of data repositories. Supports storage of public and | |
916 | private keys, certificates, CRLs, numbers and arbitrary blobs. | |
917 | This library is unfortunately unfinished and unused within | |
918 | OpenSSL. | |
919 | * New control functions for the error stack. | |
920 | * Changed the PKCS#7 library to support one-pass S/MIME | |
921 | processing. | |
922 | * Added the possibility to compile without old deprecated | |
923 | functionality with the OPENSSL_NO_DEPRECATED macro or the | |
924 | 'no-deprecated' argument to the config and Configure scripts. | |
925 | * Constification of all ASN.1 conversion functions, and other | |
926 | affected functions. | |
927 | * Improved platform support for PowerPC. | |
928 | * New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512). | |
929 | * New X509_VERIFY_PARAM structure to support parameterisation | |
930 | of X.509 path validation. | |
931 | * Major overhaul of RC4 performance on Intel P4, IA-64 and | |
932 | AMD64. | |
933 | * Changed the Configure script to have some algorithms disabled | |
934 | by default. Those can be explicitly enabled with the new | |
935 | argument form 'enable-xxx'. | |
936 | * Change the default digest in 'openssl' commands from MD5 to | |
937 | SHA-1. | |
938 | * Added support for DTLS. | |
939 | * New BIGNUM blinding. | |
940 | * Added support for the RSA-PSS encryption scheme | |
941 | * Added support for the RSA X.931 padding. | |
942 | * Added support for BSD sockets on NetWare. | |
943 | * Added support for files larger than 2GB. | |
944 | * Added initial support for Win64. | |
945 | * Added alternate pkg-config files. | |
946 | ||
257e9d03 | 947 | ### Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m [23 Feb 2007] |
5f8e6c50 DMSP |
948 | |
949 | * FIPS 1.1.1 module linking. | |
950 | * Various ciphersuite selection fixes. | |
951 | ||
257e9d03 | 952 | ### Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l [28 Sep 2006] |
5f8e6c50 | 953 | |
4477beac DMSP |
954 | * Introduce limits to prevent malicious key DoS ([CVE-2006-2940][]) |
955 | * Fix security issues ([CVE-2006-2937][], [CVE-2006-3737][], [CVE-2006-4343][]) | |
5f8e6c50 | 956 | |
257e9d03 | 957 | ### Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k [5 Sep 2006] |
5f8e6c50 | 958 | |
4477beac | 959 | * Fix Daniel Bleichenbacher forged signature attack, [CVE-2006-4339][] |
5f8e6c50 | 960 | |
257e9d03 | 961 | ### Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j [4 May 2006] |
5f8e6c50 DMSP |
962 | |
963 | * Visual C++ 2005 fixes. | |
964 | * Update Windows build system for FIPS. | |
965 | ||
257e9d03 | 966 | ### Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i [14 Oct 2005] |
5f8e6c50 DMSP |
967 | |
968 | * Give EVP_MAX_MD_SIZE its old value, except for a FIPS build. | |
969 | ||
257e9d03 | 970 | ### Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h [11 Oct 2005] |
5f8e6c50 | 971 | |
4477beac | 972 | * Fix SSL 2.0 Rollback, [CVE-2005-2969][] |
5f8e6c50 DMSP |
973 | * Allow use of fixed-length exponent on DSA signing |
974 | * Default fixed-window RSA, DSA, DH private-key operations | |
975 | ||
257e9d03 | 976 | ### Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g [11 Apr 2005] |
5f8e6c50 DMSP |
977 | |
978 | * More compilation issues fixed. | |
979 | * Adaptation to more modern Kerberos API. | |
980 | * Enhanced or corrected configuration for Solaris64, Mingw and Cygwin. | |
981 | * Enhanced x86_64 assembler BIGNUM module. | |
982 | * More constification. | |
983 | * Added processing of proxy certificates (RFC 3820). | |
984 | ||
257e9d03 | 985 | ### Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f [22 Mar 2005] |
5f8e6c50 DMSP |
986 | |
987 | * Several compilation issues fixed. | |
988 | * Many memory allocation failure checks added. | |
989 | * Improved comparison of X509 Name type. | |
990 | * Mandatory basic checks on certificates. | |
991 | * Performance improvements. | |
992 | ||
257e9d03 | 993 | ### Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e [25 Oct 2004] |
5f8e6c50 DMSP |
994 | |
995 | * Fix race condition in CRL checking code. | |
996 | * Fixes to PKCS#7 (S/MIME) code. | |
997 | ||
257e9d03 | 998 | ### Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d [17 Mar 2004] |
5f8e6c50 DMSP |
999 | |
1000 | * Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug | |
1001 | * Security: Fix null-pointer assignment in do_change_cipher_spec() | |
1002 | * Allow multiple active certificates with same subject in CA index | |
1003 | * Multiple X509 verification fixes | |
1004 | * Speed up HMAC and other operations | |
1005 | ||
257e9d03 | 1006 | ### Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c [30 Sep 2003] |
5f8e6c50 DMSP |
1007 | |
1008 | * Security: fix various ASN1 parsing bugs. | |
1009 | * New -ignore_err option to OCSP utility. | |
1010 | * Various interop and bug fixes in S/MIME code. | |
1011 | * SSL/TLS protocol fix for unrequested client certificates. | |
1012 | ||
257e9d03 | 1013 | ### Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b [10 Apr 2003] |
5f8e6c50 DMSP |
1014 | |
1015 | * Security: counter the Klima-Pokorny-Rosa extension of | |
1016 | Bleichbacher's attack | |
1017 | * Security: make RSA blinding default. | |
1018 | * Configuration: Irix fixes, AIX fixes, better mingw support. | |
1019 | * Support for new platforms: linux-ia64-ecc. | |
1020 | * Build: shared library support fixes. | |
1021 | * ASN.1: treat domainComponent correctly. | |
1022 | * Documentation: fixes and additions. | |
1023 | ||
257e9d03 | 1024 | ### Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a [19 Feb 2003] |
5f8e6c50 DMSP |
1025 | |
1026 | * Security: Important security related bugfixes. | |
1027 | * Enhanced compatibility with MIT Kerberos. | |
1028 | * Can be built without the ENGINE framework. | |
1029 | * IA32 assembler enhancements. | |
1030 | * Support for new platforms: FreeBSD/IA64 and FreeBSD/Sparc64. | |
1031 | * Configuration: the no-err option now works properly. | |
1032 | * SSL/TLS: now handles manual certificate chain building. | |
1033 | * SSL/TLS: certain session ID malfunctions corrected. | |
1034 | ||
257e9d03 | 1035 | ### Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7 [30 Dec 2002] |
5f8e6c50 DMSP |
1036 | |
1037 | * New library section OCSP. | |
1038 | * Complete rewrite of ASN1 code. | |
1039 | * CRL checking in verify code and openssl utility. | |
1040 | * Extension copying in 'ca' utility. | |
1041 | * Flexible display options in 'ca' utility. | |
1042 | * Provisional support for international characters with UTF8. | |
1043 | * Support for external crypto devices ('engine') is no longer | |
1044 | a separate distribution. | |
1045 | * New elliptic curve library section. | |
1046 | * New AES (Rijndael) library section. | |
1047 | * Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit, | |
1048 | Linux x86_64, Linux 64-bit on Sparc v9 | |
1049 | * Extended support for some platforms: VxWorks | |
1050 | * Enhanced support for shared libraries. | |
1051 | * Now only builds PIC code when shared library support is requested. | |
1052 | * Support for pkg-config. | |
1053 | * Lots of new manuals. | |
1054 | * Makes symbolic links to or copies of manuals to cover all described | |
1055 | functions. | |
1056 | * Change DES API to clean up the namespace (some applications link also | |
1057 | against libdes providing similar functions having the same name). | |
1058 | Provide macros for backward compatibility (will be removed in the | |
1059 | future). | |
1060 | * Unify handling of cryptographic algorithms (software and engine) | |
1061 | to be available via EVP routines for asymmetric and symmetric ciphers. | |
1062 | * NCONF: new configuration handling routines. | |
1063 | * Change API to use more 'const' modifiers to improve error checking | |
1064 | and help optimizers. | |
1065 | * Finally remove references to RSAref. | |
1066 | * Reworked parts of the BIGNUM code. | |
1067 | * Support for new engines: Broadcom ubsec, Accelerated Encryption | |
1068 | Processing, IBM 4758. | |
1069 | * A few new engines added in the demos area. | |
1070 | * Extended and corrected OID (object identifier) table. | |
1071 | * PRNG: query at more locations for a random device, automatic query for | |
1072 | EGD style random sources at several locations. | |
1073 | * SSL/TLS: allow optional cipher choice according to server's preference. | |
1074 | * SSL/TLS: allow server to explicitly set new session ids. | |
1075 | * SSL/TLS: support Kerberos cipher suites (RFC2712). | |
1076 | Only supports MIT Kerberos for now. | |
1077 | * SSL/TLS: allow more precise control of renegotiations and sessions. | |
1078 | * SSL/TLS: add callback to retrieve SSL/TLS messages. | |
1079 | * SSL/TLS: support AES cipher suites (RFC3268). | |
1080 | ||
257e9d03 | 1081 | ### Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k [30 Sep 2003] |
5f8e6c50 DMSP |
1082 | |
1083 | * Security: fix various ASN1 parsing bugs. | |
1084 | * SSL/TLS protocol fix for unrequested client certificates. | |
1085 | ||
257e9d03 | 1086 | ### Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j [10 Apr 2003] |
5f8e6c50 DMSP |
1087 | |
1088 | * Security: counter the Klima-Pokorny-Rosa extension of | |
1089 | Bleichbacher's attack | |
1090 | * Security: make RSA blinding default. | |
1091 | * Build: shared library support fixes. | |
1092 | ||
257e9d03 | 1093 | ### Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i [19 Feb 2003] |
5f8e6c50 DMSP |
1094 | |
1095 | * Important security related bugfixes. | |
1096 | ||
257e9d03 | 1097 | ### Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h [5 Dec 2002] |
5f8e6c50 DMSP |
1098 | |
1099 | * New configuration targets for Tandem OSS and A/UX. | |
1100 | * New OIDs for Microsoft attributes. | |
1101 | * Better handling of SSL session caching. | |
1102 | * Better comparison of distinguished names. | |
1103 | * Better handling of shared libraries in a mixed GNU/non-GNU environment. | |
1104 | * Support assembler code with Borland C. | |
1105 | * Fixes for length problems. | |
1106 | * Fixes for uninitialised variables. | |
1107 | * Fixes for memory leaks, some unusual crashes and some race conditions. | |
1108 | * Fixes for smaller building problems. | |
1109 | * Updates of manuals, FAQ and other instructive documents. | |
1110 | ||
257e9d03 | 1111 | ### Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g [9 Aug 2002] |
5f8e6c50 DMSP |
1112 | |
1113 | * Important building fixes on Unix. | |
1114 | ||
257e9d03 | 1115 | ### Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f [8 Aug 2002] |
5f8e6c50 DMSP |
1116 | |
1117 | * Various important bugfixes. | |
1118 | ||
257e9d03 | 1119 | ### Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e [30 Jul 2002] |
5f8e6c50 DMSP |
1120 | |
1121 | * Important security related bugfixes. | |
1122 | * Various SSL/TLS library bugfixes. | |
1123 | ||
257e9d03 | 1124 | ### Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d [9 May 2002] |
5f8e6c50 DMSP |
1125 | |
1126 | * Various SSL/TLS library bugfixes. | |
1127 | * Fix DH parameter generation for 'non-standard' generators. | |
1128 | ||
257e9d03 | 1129 | ### Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c [21 Dec 2001] |
5f8e6c50 DMSP |
1130 | |
1131 | * Various SSL/TLS library bugfixes. | |
1132 | * BIGNUM library fixes. | |
1133 | * RSA OAEP and random number generation fixes. | |
1134 | * Object identifiers corrected and added. | |
1135 | * Add assembler BN routines for IA64. | |
1136 | * Add support for OS/390 Unix, UnixWare with gcc, OpenUNIX 8, | |
1137 | MIPS Linux; shared library support for Irix, HP-UX. | |
1138 | * Add crypto accelerator support for AEP, Baltimore SureWare, | |
1139 | Broadcom and Cryptographic Appliance's keyserver | |
1140 | [in 0.9.6c-engine release]. | |
1141 | ||
257e9d03 | 1142 | ### Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b [9 Jul 2001] |
5f8e6c50 DMSP |
1143 | |
1144 | * Security fix: PRNG improvements. | |
1145 | * Security fix: RSA OAEP check. | |
1146 | * Security fix: Reinsert and fix countermeasure to Bleichbacher's | |
1147 | attack. | |
1148 | * MIPS bug fix in BIGNUM. | |
1149 | * Bug fix in "openssl enc". | |
1150 | * Bug fix in X.509 printing routine. | |
1151 | * Bug fix in DSA verification routine and DSA S/MIME verification. | |
1152 | * Bug fix to make PRNG thread-safe. | |
1153 | * Bug fix in RAND_file_name(). | |
1154 | * Bug fix in compatibility mode trust settings. | |
1155 | * Bug fix in blowfish EVP. | |
1156 | * Increase default size for BIO buffering filter. | |
1157 | * Compatibility fixes in some scripts. | |
1158 | ||
257e9d03 | 1159 | ### Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a [5 Apr 2001] |
5f8e6c50 DMSP |
1160 | |
1161 | * Security fix: change behavior of OpenSSL to avoid using | |
1162 | environment variables when running as root. | |
1163 | * Security fix: check the result of RSA-CRT to reduce the | |
1164 | possibility of deducing the private key from an incorrectly | |
1165 | calculated signature. | |
1166 | * Security fix: prevent Bleichenbacher's DSA attack. | |
1167 | * Security fix: Zero the premaster secret after deriving the | |
1168 | master secret in DH ciphersuites. | |
1169 | * Reimplement SSL_peek(), which had various problems. | |
1170 | * Compatibility fix: the function des_encrypt() renamed to | |
1171 | des_encrypt1() to avoid clashes with some Unixen libc. | |
1172 | * Bug fixes for Win32, HP/UX and Irix. | |
1173 | * Bug fixes in BIGNUM, SSL, PKCS#7, PKCS#12, X.509, CONF and | |
1174 | memory checking routines. | |
1175 | * Bug fixes for RSA operations in threaded environments. | |
1176 | * Bug fixes in misc. openssl applications. | |
1177 | * Remove a few potential memory leaks. | |
1178 | * Add tighter checks of BIGNUM routines. | |
1179 | * Shared library support has been reworked for generality. | |
1180 | * More documentation. | |
1181 | * New function BN_rand_range(). | |
1182 | * Add "-rand" option to openssl s_client and s_server. | |
1183 | ||
257e9d03 | 1184 | ### Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6 [10 Oct 2000] |
5f8e6c50 DMSP |
1185 | |
1186 | * Some documentation for BIO and SSL libraries. | |
1187 | * Enhanced chain verification using key identifiers. | |
1188 | * New sign and verify options to 'dgst' application. | |
1189 | * Support for DER and PEM encoded messages in 'smime' application. | |
1190 | * New 'rsautl' application, low level RSA utility. | |
1191 | * MD4 now included. | |
1192 | * Bugfix for SSL rollback padding check. | |
1193 | * Support for external crypto devices [1]. | |
1194 | * Enhanced EVP interface. | |
1195 | ||
1196 | [1] The support for external crypto devices is currently a separate | |
1197 | distribution. See the file README.ENGINE. | |
1198 | ||
257e9d03 | 1199 | ### Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a [1 Apr 2000] |
5f8e6c50 DMSP |
1200 | |
1201 | * Bug fixes for Win32, SuSE Linux, NeXTSTEP and FreeBSD 2.2.8 | |
1202 | * Shared library support for HPUX and Solaris-gcc | |
1203 | * Support of Linux/IA64 | |
1204 | * Assembler support for Mingw32 | |
1205 | * New 'rand' application | |
1206 | * New way to check for existence of algorithms from scripts | |
1207 | ||
257e9d03 | 1208 | ### Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5 [25 May 2000] |
5f8e6c50 DMSP |
1209 | |
1210 | * S/MIME support in new 'smime' command | |
1211 | * Documentation for the OpenSSL command line application | |
1212 | * Automation of 'req' application | |
1213 | * Fixes to make s_client, s_server work under Windows | |
1214 | * Support for multiple fieldnames in SPKACs | |
1215 | * New SPKAC command line utility and associated library functions | |
1216 | * Options to allow passwords to be obtained from various sources | |
1217 | * New public key PEM format and options to handle it | |
1218 | * Many other fixes and enhancements to command line utilities | |
1219 | * Usable certificate chain verification | |
1220 | * Certificate purpose checking | |
1221 | * Certificate trust settings | |
1222 | * Support of authority information access extension | |
1223 | * Extensions in certificate requests | |
1224 | * Simplified X509 name and attribute routines | |
1225 | * Initial (incomplete) support for international character sets | |
1226 | * New DH_METHOD, DSA_METHOD and enhanced RSA_METHOD | |
1227 | * Read only memory BIOs and simplified creation function | |
1228 | * TLS/SSL protocol bugfixes: Accept TLS 'client hello' in SSL 3.0 | |
1229 | record; allow fragmentation and interleaving of handshake and other | |
1230 | data | |
1231 | * TLS/SSL code now "tolerates" MS SGC | |
1232 | * Work around for Netscape client certificate hang bug | |
1233 | * RSA_NULL option that removes RSA patent code but keeps other | |
1234 | RSA functionality | |
1235 | * Memory leak detection now allows applications to add extra information | |
1236 | via a per-thread stack | |
1237 | * PRNG robustness improved | |
1238 | * EGD support | |
1239 | * BIGNUM library bug fixes | |
1240 | * Faster DSA parameter generation | |
1241 | * Enhanced support for Alpha Linux | |
1242 | * Experimental MacOS support | |
1243 | ||
257e9d03 | 1244 | ### Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4 [9 Aug 1999] |
5f8e6c50 DMSP |
1245 | |
1246 | * Transparent support for PKCS#8 format private keys: these are used | |
1247 | by several software packages and are more secure than the standard | |
1248 | form | |
1249 | * PKCS#5 v2.0 implementation | |
1250 | * Password callbacks have a new void * argument for application data | |
1251 | * Avoid various memory leaks | |
1252 | * New pipe-like BIO that allows using the SSL library when actual I/O | |
1253 | must be handled by the application (BIO pair) | |
1254 | ||
257e9d03 | 1255 | ### Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3 [24 May 1999] |
4477beac | 1256 | |
5f8e6c50 DMSP |
1257 | * Lots of enhancements and cleanups to the Configuration mechanism |
1258 | * RSA OEAP related fixes | |
4477beac | 1259 | * Added "openssl ca -revoke" option for revoking a certificate |
5f8e6c50 DMSP |
1260 | * Source cleanups: const correctness, type-safe stacks and ASN.1 SETs |
1261 | * Source tree cleanups: removed lots of obsolete files | |
1262 | * Thawte SXNet, certificate policies and CRL distribution points | |
4477beac | 1263 | extension support |
5f8e6c50 DMSP |
1264 | * Preliminary (experimental) S/MIME support |
1265 | * Support for ASN.1 UTF8String and VisibleString | |
1266 | * Full integration of PKCS#12 code | |
1267 | * Sparc assembler bignum implementation, optimized hash functions | |
1268 | * Option to disable selected ciphers | |
8e8a8a5f | 1269 | |
257e9d03 | 1270 | ### Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b [22 Mar 1999] |
4477beac | 1271 | |
5f8e6c50 DMSP |
1272 | * Fixed a security hole related to session resumption |
1273 | * Fixed RSA encryption routines for the p < q case | |
1274 | * "ALL" in cipher lists now means "everything except NULL ciphers" | |
1275 | * Support for Triple-DES CBCM cipher | |
1276 | * Support of Optimal Asymmetric Encryption Padding (OAEP) for RSA | |
1277 | * First support for new TLSv1 ciphers | |
1278 | * Added a few new BIOs (syslog BIO, reliable BIO) | |
1279 | * Extended support for DSA certificate/keys. | |
1280 | * Extended support for Certificate Signing Requests (CSR) | |
1281 | * Initial support for X.509v3 extensions | |
1282 | * Extended support for compression inside the SSL record layer | |
1283 | * Overhauled Win32 builds | |
1284 | * Cleanups and fixes to the Big Number (BN) library | |
1285 | * Support for ASN.1 GeneralizedTime | |
1286 | * Splitted ASN.1 SETs from SEQUENCEs | |
1287 | * ASN1 and PEM support for Netscape Certificate Sequences | |
1288 | * Overhauled Perl interface | |
1289 | * Lots of source tree cleanups. | |
1290 | * Lots of memory leak fixes. | |
1291 | * Lots of bug fixes. | |
3b52c2e7 | 1292 | |
257e9d03 | 1293 | ### Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c [23 Dec 1998] |
4477beac | 1294 | |
5f8e6c50 DMSP |
1295 | * Integration of the popular NO_RSA/NO_DSA patches |
1296 | * Initial support for compression inside the SSL record layer | |
1297 | * Added BIO proxy and filtering functionality | |
1298 | * Extended Big Number (BN) library | |
1299 | * Added RIPE MD160 message digest | |
1300 | * Added support for RC2/64bit cipher | |
1301 | * Extended ASN.1 parser routines | |
1302 | * Adjustments of the source tree for CVS | |
1303 | * Support for various new platforms | |
4477beac | 1304 | |
4477beac DMSP |
1305 | <!-- Links --> |
1306 | ||
1307 | [CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563 | |
1308 | [CVE-2019-1559]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1559 | |
1309 | [CVE-2019-1552]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1552 | |
8658fedd | 1310 | [CVE-2019-1551]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1551 |
4477beac DMSP |
1311 | [CVE-2019-1549]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1549 |
1312 | [CVE-2019-1547]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1547 | |
1313 | [CVE-2019-1543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1543 | |
1314 | [CVE-2018-5407]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-5407 | |
1315 | [CVE-2018-0739]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0739 | |
1316 | [CVE-2018-0737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0737 | |
1317 | [CVE-2018-0735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0735 | |
1318 | [CVE-2018-0734]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0734 | |
1319 | [CVE-2018-0733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0733 | |
1320 | [CVE-2018-0732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0732 | |
1321 | [CVE-2017-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3738 | |
1322 | [CVE-2017-3737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3737 | |
1323 | [CVE-2017-3736]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3736 | |
1324 | [CVE-2017-3735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3735 | |
1325 | [CVE-2017-3733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3733 | |
1326 | [CVE-2017-3732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3732 | |
1327 | [CVE-2017-3731]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3731 | |
1328 | [CVE-2017-3730]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3730 | |
1329 | [CVE-2016-7055]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7055 | |
1330 | [CVE-2016-7054]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7054 | |
1331 | [CVE-2016-7053]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7053 | |
1332 | [CVE-2016-7052]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7052 | |
1333 | [CVE-2016-6309]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6309 | |
1334 | [CVE-2016-6308]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6308 | |
1335 | [CVE-2016-6307]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6307 | |
1336 | [CVE-2016-6306]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6306 | |
1337 | [CVE-2016-6305]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6305 | |
1338 | [CVE-2016-6304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6304 | |
1339 | [CVE-2016-6303]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6303 | |
1340 | [CVE-2016-6302]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6302 | |
1341 | [CVE-2016-2183]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2183 | |
1342 | [CVE-2016-2182]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2182 | |
1343 | [CVE-2016-2181]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2181 | |
1344 | [CVE-2016-2180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2180 | |
1345 | [CVE-2016-2179]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2179 | |
1346 | [CVE-2016-2178]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2178 | |
1347 | [CVE-2016-2177]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2177 | |
1348 | [CVE-2016-2176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2176 | |
1349 | [CVE-2016-2109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2109 | |
1350 | [CVE-2016-2107]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2107 | |
1351 | [CVE-2016-2106]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2106 | |
1352 | [CVE-2016-2105]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2105 | |
1353 | [CVE-2016-0800]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0800 | |
1354 | [CVE-2016-0799]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0799 | |
1355 | [CVE-2016-0798]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0798 | |
1356 | [CVE-2016-0797]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0797 | |
1357 | [CVE-2016-0705]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0705 | |
1358 | [CVE-2016-0702]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0702 | |
1359 | [CVE-2016-0701]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0701 | |
1360 | [CVE-2015-3197]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3197 | |
1361 | [CVE-2015-3196]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3196 | |
1362 | [CVE-2015-3195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3195 | |
1363 | [CVE-2015-3194]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3194 | |
1364 | [CVE-2015-3193]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3193 | |
1365 | [CVE-2015-1793]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1793 | |
1366 | [CVE-2015-1792]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1792 | |
1367 | [CVE-2015-1791]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1791 | |
1368 | [CVE-2015-1790]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1790 | |
1369 | [CVE-2015-1789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1789 | |
1370 | [CVE-2015-1788]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1788 | |
1371 | [CVE-2015-1787]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1787 | |
1372 | [CVE-2015-0293]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0293 | |
1373 | [CVE-2015-0291]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0291 | |
1374 | [CVE-2015-0290]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0290 | |
1375 | [CVE-2015-0289]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0289 | |
1376 | [CVE-2015-0288]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0288 | |
1377 | [CVE-2015-0287]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0287 | |
1378 | [CVE-2015-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0286 | |
1379 | [CVE-2015-0285]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0285 | |
1380 | [CVE-2015-0209]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0209 | |
1381 | [CVE-2015-0208]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0208 | |
1382 | [CVE-2015-0207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0207 | |
1383 | [CVE-2015-0206]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0206 | |
1384 | [CVE-2015-0205]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0205 | |
1385 | [CVE-2015-0204]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0204 | |
1386 | [CVE-2014-8275]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-8275 | |
1387 | [CVE-2014-5139]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-5139 | |
1388 | [CVE-2014-3572]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3572 | |
1389 | [CVE-2014-3571]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3571 | |
1390 | [CVE-2014-3570]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3570 | |
1391 | [CVE-2014-3569]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3569 | |
1392 | [CVE-2014-3568]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3568 | |
1393 | [CVE-2014-3567]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3567 | |
1394 | [CVE-2014-3566]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3566 | |
1395 | [CVE-2014-3513]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3513 | |
1396 | [CVE-2014-3512]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3512 | |
1397 | [CVE-2014-3511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3511 | |
1398 | [CVE-2014-3510]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3510 | |
1399 | [CVE-2014-3509]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3509 | |
1400 | [CVE-2014-3508]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3508 | |
1401 | [CVE-2014-3507]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3507 | |
1402 | [CVE-2014-3506]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3506 | |
1403 | [CVE-2014-3505]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3505 | |
1404 | [CVE-2014-3470]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3470 | |
1405 | [CVE-2014-0224]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0224 | |
1406 | [CVE-2014-0221]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0221 | |
1407 | [CVE-2014-0198]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0198 | |
1408 | [CVE-2014-0195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0195 | |
1409 | [CVE-2014-0160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0160 | |
1410 | [CVE-2014-0076]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0076 | |
1411 | [CVE-2013-6450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-6450 | |
1412 | [CVE-2013-6449]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-6449 | |
1413 | [CVE-2013-4353]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-4353 | |
1414 | [CVE-2013-0169]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0169 | |
1415 | [CVE-2013-0166]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0166 | |
1416 | [CVE-2012-2686]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2686 | |
1417 | [CVE-2012-2333]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2333 | |
1418 | [CVE-2012-2110]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2110 | |
1419 | [CVE-2012-0884]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0884 | |
1420 | [CVE-2012-0050]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0050 | |
1421 | [CVE-2012-0027]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0027 | |
1422 | [CVE-2011-4619]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4619 | |
1423 | [CVE-2011-4577]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4577 | |
1424 | [CVE-2011-4576]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4576 | |
1425 | [CVE-2011-4108]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4108 | |
1426 | [CVE-2011-3210]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3210 | |
1427 | [CVE-2011-3207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3207 | |
1428 | [CVE-2011-0014]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-0014 | |
1429 | [CVE-2010-5298]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-5298 | |
1430 | [CVE-2010-4252]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4252 | |
1431 | [CVE-2010-4180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4180 | |
1432 | [CVE-2010-3864]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-3864 | |
1433 | [CVE-2010-2939]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-2939 | |
1434 | [CVE-2010-1633]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-1633 | |
1435 | [CVE-2010-0740]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0740 | |
1436 | [CVE-2010-0433]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0433 | |
1437 | [CVE-2009-3555]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3555 | |
1438 | [CVE-2009-0789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0789 | |
1439 | [CVE-2009-0591]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0591 | |
1440 | [CVE-2009-0590]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0590 | |
1441 | [CVE-2008-5077]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-5077 | |
1442 | [CVE-2006-4343]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4343 | |
1443 | [CVE-2006-4339]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4339 | |
1444 | [CVE-2006-3737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-3737 | |
1445 | [CVE-2006-2940]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2940 | |
1446 | [CVE-2006-2937]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2937 | |
1447 | [CVE-2005-2969]: https://www.openssl.org/news/vulnerabilities.html#CVE-2005-2969 |