Update CHANGES and NEWS ready for release

author Matt Caswell <matt@openssl.org>

Wed, 27 Jan 2016 13:55:05 +0000 (13:55 +0000)

committer Matt Caswell <matt@openssl.org>

Thu, 28 Jan 2016 17:06:38 +0000 (17:06 +0000)
author Matt Caswell <matt@openssl.org>
Wed, 27 Jan 2016 13:55:05 +0000 (13:55 +0000)
committer Matt Caswell <matt@openssl.org>
Thu, 28 Jan 2016 17:06:38 +0000 (17:06 +0000)
diff --git a/CHANGES b/CHANGES

index 23ca912fa6e40b6c0403513a5fc73c6c6cbebbe6..ca3c62639fbb9f4ba7c029b9774018f0f7c469c1 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,18 @@
  
   Changes between 1.0.1q and 1.0.1r [xx XXX xxxx]
  
+  *) SSLv2 doesn't block disabled ciphers
+
+     A malicious client can negotiate SSLv2 ciphers that have been disabled on
+     the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
+     been disabled, provided that the SSLv2 protocol was not also disabled via
+     SSL_OP_NO_SSLv2.
+
+     This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
+     and Sebastian Schinzel.
+     (CVE-2015-3197)
+     [Viktor Dukhovni]
+
    *) Reject DH handshakes with parameters shorter than 1024 bits.
       [Kurt Roeckx]
  
diff --git a/NEWS b/NEWS

index e712f14ae3d4c0c23d83bccf736346dadcf4dee4..13dcd01aacc85dfc10b5503c7fee288dcaa39e0b 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,7 +7,7 @@
  
    Major changes between OpenSSL 1.0.1q and OpenSSL 1.0.1r [under development]
  
-      o
+      o SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
  
    Major changes between OpenSSL 1.0.1p and OpenSSL 1.0.1q [3 Dec 2015]
author	Matt Caswell <matt@openssl.org>
	Wed, 27 Jan 2016 13:55:05 +0000 (13:55 +0000)
committer	Matt Caswell <matt@openssl.org>
	Thu, 28 Jan 2016 17:06:38 +0000 (17:06 +0000)