OpenSSL CHANGES
_______________
- Changes between 1.0.0a and 1.0.0b [xx XXX xxxx]
+ Changes between 1.0.0b and 1.0.0c [xx XXX xxxx]
+
+ *) Fixed J-PAKE implementation error, originally discovered by
+ Sebastien Martini, further info and confirmation from Stefan
+ Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
+ [Ben Laurie]
+
+ Changes between 1.0.0a and 1.0.0b [16 Nov 2010]
+
+ *) Fix extension code to avoid race conditions which can result in a buffer
+ overrun vulnerability: resumed sessions must not be modified as they can
+ be shared by multiple threads. CVE-2010-3864
+ [Steve Henson]
*) Fix WIN32 build system to correctly link an ENGINE directory into
a DLL.
Changes between 0.9.8o and 0.9.8p [xx XXX xxxx]
+ *) Fix extension code to avoid race conditions which can result in a buffer
+ overrun vulnerability: resumed sessions must not be modified as they can
+ be shared by multiple threads. CVE-2010-3864
+
+ *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
+ [Steve Henson]
+
*) Don't reencode certificate when calculating signature: cache and use
the original encoding instead. This makes signature verification of
some broken encodings work correctly.