OpenSSL CHANGES
_______________
- Changes between 1.0.0c and 1.0.0d [xx XXX xxxx]
+ Changes between 1.0.0c and 1.0.0d [8 Feb 2011]
+
+ *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
+ [Neel Mehta, Adam Langley, Bodo Moeller (Google)]
*) Fix bug in string printing code: if *any* escaping is enabled we must
escape the escape character (backslash) or the resulting string is
*) Change 'Configure' script to enable Camellia by default.
[NTT]
- Changes between 0.9.8o and 0.9.8p [xx XXX xxxx]
+ Changes between 0.9.8q and 0.9.8r [8 Feb 2011]
+
+ *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
+ [Neel Mehta, Adam Langley, Bodo Moeller (Google)]
+
+ *) Fix bug in string printing code: if *any* escaping is enabled we must
+ escape the escape character (backslash) or the resulting string is
+ ambiguous.
+ [Steve Henson]
+
+ Changes between 0.9.8p and 0.9.8q [2 Dec 2010]
+
+ *) Disable code workaround for ancient and obsolete Netscape browsers
+ and servers: an attacker can use it in a ciphersuite downgrade attack.
+ Thanks to Martin Rex for discovering this bug. CVE-2010-4180
+ [Steve Henson]
+
+ *) Fixed J-PAKE implementation error, originally discovered by
+ Sebastien Martini, further info and confirmation from Stefan
+ Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
+ [Ben Laurie]
+
+ Changes between 0.9.8o and 0.9.8p [16 Nov 2010]
*) Fix extension code to avoid race conditions which can result in a buffer
overrun vulnerability: resumed sessions must not be modified as they can
be shared by multiple threads. CVE-2010-3864
+ [Steve Henson]
*) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
[Steve Henson]
* Which is the current version of OpenSSL?
The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 1.0.0c was released on Dec 2nd, 2010.
+OpenSSL 1.0.0d was released on Feb 8th, 2011.
In addition to the current stable release, you can also access daily
snapshots of the OpenSSL development version at <URL:
---------------
/* ====================================================================
- * Copyright (c) 1998-2008 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.0.0c and OpenSSL 1.0.0d:
+
+ o Fix for security issue CVE-2011-0014
+
Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c:
o Fix for security issue CVE-2010-4180
o Opaque PRF Input TLS extension support.
o Updated time routines to avoid OS limitations.
+ Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r:
+
+ o Fix for security issue CVE-2011-0014
+
Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q:
o Fix for security issue CVE-2010-4180
- OpenSSL 1.0.0d-dev
+ OpenSSL 1.0.0d
- Copyright (c) 1998-2010 The OpenSSL Project
+ Copyright (c) 1998-2011 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
All rights reserved.
OpenSSL STATUS Last modified at
- ______________ $Date: 2010/12/02 18:29:03 $
+ ______________ $Date: 2011/02/08 17:10:52 $
DEVELOPMENT STATE
o OpenSSL 1.1.0: Under development...
+ o OpenSSL 1.0.1: Under development...
+ o OpenSSL 1.0.0d: Released on February 8nd, 2011
o OpenSSL 1.0.0c: Released on December 2nd, 2010
o OpenSSL 1.0.0b: Released on November 16th, 2010
o OpenSSL 1.0.0a: Released on June 1st, 2010
o OpenSSL 1.0.0: Released on March 29th, 2010
+ o OpenSSL 0.9.8r: Released on February 8nd, 2011
+ o OpenSSL 0.9.8q: Released on December 2nd, 2010
+ o OpenSSL 0.9.8p: Released on November 16th, 2010
+ o OpenSSL 0.9.8o: Released on June 1st, 2010
o OpenSSL 0.9.8n: Released on March 24th, 2010
o OpenSSL 0.9.8m: Released on February 25th, 2010
o OpenSSL 0.9.8l: Released on November 5th, 2009
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-#define OPENSSL_VERSION_NUMBER 0x10000040L
+#define OPENSSL_VERSION_NUMBER 0x1000004fL
#ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0d-fips-dev xx XXX xxxx"
+#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0d-fips 8 Feb 2011"
#else
-#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0d-dev xx XXX xxxx"
+#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0d 8 Feb 2011"
#endif
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
Summary: Secure Sockets Layer and cryptography libraries and tools
Name: openssl
-Version: %{libmaj}.%{libmin}.%{librel}
-#Version: %{libmaj}.%{libmin}.%{librel}%{librev}
+#Version: %{libmaj}.%{libmin}.%{librel}
+Version: %{libmaj}.%{libmin}.%{librel}%{librev}
Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
Copyright: Freely distributable
Group: System Environment/Libraries
}
n2s(data, idsize);
dsize -= 2 + idsize;
+ size -= 2 + idsize;
if (dsize < 0)
{
*al = SSL_AD_DECODE_ERROR;
}
/* Read in request_extensions */
+ if (size < 2)
+ {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
n2s(data,dsize);
size -= 2;
- if (dsize > size)
+ if (dsize != size)
{
*al = SSL_AD_DECODE_ERROR;
return 0;
} else {
push @out,
"/* ====================================================================\n",
-" * Copyright (c) 2001-2010 The OpenSSL Project. All rights reserved.\n",
+" * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.\n",
" *\n",
" * Redistribution and use in source and binary forms, with or without\n",
" * modification, are permitted provided that the following conditions\n",
projects / oweals / openssl.git / commitdiff