X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=CHANGES;h=846e66e1dd326eb753bbff4f18b08eb9e5812c43;hb=51b77c0337bd22ce391f339bd376788dc4e9a4ad;hp=2945371cb7e42ac4c8f7b18bf0cfbb76f482305e;hpb=c3cb069108d8f2327eedbf9df27d9e8a49b8e0e8;p=oweals%2Fopenssl.git

diff --git a/CHANGES b/CHANGES
index 2945371cb7..846e66e1dd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -52,7 +52,32 @@
      certificates.
      [Steve Henson]
 
- Changes between 1.0.1 and 1.0.1a [xx XXX xxxx]
+ Changes between 1.0.1 and 1.0.1a [19 Apr 2012]
+
+  *) Check for potentially exploitable overflows in asn1_d2i_read_bio
+     BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
+     in CRYPTO_realloc_clean.
+
+     Thanks to Tavis Ormandy, Google Security Team, for discovering this
+     issue and to Adam Langley <agl@chromium.org> for fixing it.
+     (CVE-2012-2110)
+     [Adam Langley (Google), Tavis Ormandy, Google Security Team]
+
+  *) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
+     [Adam Langley]
+
+  *) Workarounds for some broken servers that "hang" if a client hello
+     record length exceeds 255 bytes:
+ 
+     1. Do not use record version number > TLS 1.0 in initial client
+        hello: some (but not all) hanging servers will now work.
+     2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
+        the number of ciphers sent in the client hello. This should be
+        set to an even number, such as 50, for example by passing:
+        -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
+        Most broken servers should now work.
+     3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
+        TLS 1.2 client support entirely.
 
   *) Fix SEGV in Vector Permutation AES module observed in OpenSSH.
      [Andy Polyakov]