PR: 2386

[oweals/openssl.git] / CHANGES

diff --git a/CHANGES b/CHANGES
index b6708ffdc6cacadd4c97b1a79f29cf262569fd3c..6c302f77875fdae5ecf29aafb3d036c979fd48b6 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,7 +2,19 @@
  OpenSSL CHANGES
  _______________
 
- Changes between 1.0.0a and 1.0.0b  [xx XXX xxxx]
+ Changes between 1.0.0b and 1.0.0c  [xx XXX xxxx]
+
+  *) Fixed J-PAKE implementation error, originally discovered by
+     Sebastien Martini, further info and confirmation from Stefan
+     Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
+     [Ben Laurie]
+
+ Changes between 1.0.0a and 1.0.0b  [16 Nov 2010]
+
+  *) Fix extension code to avoid race conditions which can result in a buffer
+     overrun vulnerability: resumed sessions must not be modified as they can
+     be shared by multiple threads. CVE-2010-3864
+     [Steve Henson]
 
   *) Fix WIN32 build system to correctly link an ENGINE directory into
      a DLL. 
@@ -857,6 +869,13 @@
   
  Changes between 0.9.8o and 0.9.8p [xx XXX xxxx]
 
+  *) Fix extension code to avoid race conditions which can result in a buffer
+     overrun vulnerability: resumed sessions must not be modified as they can
+     be shared by multiple threads. CVE-2010-3864
+
+  *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
+     [Steve Henson]
+
   *) Don't reencode certificate when calculating signature: cache and use
      the original encoding instead. This makes signature verification of
      some broken encodings work correctly.