X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=CHANGES;h=53b6c6f01f35327c7cde351b024cf08a8dbd1c02;hb=72370164c37d5384ee9788010a08b4feeba41688;hp=4fcfd1d4be451ade7e173c3ef09d9ea1e1c72afb;hpb=b2d951e4232d2f90168f9a3dd0b7df9ecf2d81a8;p=oweals%2Fopenssl.git

diff --git a/CHANGES b/CHANGES
index 4fcfd1d4be..53b6c6f01f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,54 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 1.0.1h and 1.0.1i [xx XXX xxxx]
+
+  *)
+
+ Changes between 1.0.1g and 1.0.1h [5 Jun 2014]
+
+  *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
+     handshake can force the use of weak keying material in OpenSSL
+     SSL/TLS clients and servers.
+
+     Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
+     researching this issue. (CVE-2014-0224)
+     [KIKUCHI Masashi, Steve Henson]
+
+  *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
+     OpenSSL DTLS client the code can be made to recurse eventually crashing
+     in a DoS attack.
+
+     Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
+     (CVE-2014-0221)
+     [Imre Rad, Steve Henson]
+
+  *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
+     be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
+     client or server. This is potentially exploitable to run arbitrary
+     code on a vulnerable client or server.
+
+     Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
+     [Jüri Aedla, Steve Henson]
+
+  *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
+     are subject to a denial of service attack.
+
+     Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
+     this issue. (CVE-2014-3470)
+     [Felix Gröbert, Ivan Fratric, Steve Henson]
+
+  *) Harmonize version and its documentation. -f flag is used to display
+     compilation flags.
+     [mancha <mancha1@zoho.com>]
+
+  *) Fix eckey_priv_encode so it immediately returns an error upon a failure
+     in i2d_ECPrivateKey.
+     [mancha <mancha1@zoho.com>]
+
+  *) Fix some double frees. These are not thought to be exploitable.
+     [mancha <mancha1@zoho.com>]
+
  Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
 
   *) A missing bounds check in the handling of the TLS heartbeat extension