Changes between 1.1.0b and 1.1.0c [xx XXX xxxx]
+ *) ChaCha20/Poly1305 heap-buffer-overflow
+
+ TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to
+ a DoS attack by corrupting larger payloads. This can result in an OpenSSL
+ crash. This issue is not considered to be exploitable beyond a DoS.
+
+ This issue was reported to OpenSSL by Robert Święcki (Google Security Team)
+ (CVE-2016-7054)
+ [Richard Levitte]
+
+ *) CMS Null dereference
+
+ Applications parsing invalid CMS structures can crash with a NULL pointer
+ dereference. This is caused by a bug in the handling of the ASN.1 CHOICE
+ type in OpenSSL 1.1.0 which can result in a NULL value being passed to the
+ structure callback if an attempt is made to free certain invalid encodings.
+ Only CHOICE structures using a callback which do not handle NULL value are
+ affected.
+
+ This issue was reported to OpenSSL by Tyler Nighswander of ForAllSecure.
+ (CVE-2016-7053)
+ [Stephen Henson]
+
+ *) Montgomery multiplication may produce incorrect results
+
+ There is a carry propagating bug in the Broadwell-specific Montgomery
+ multiplication procedure that handles input lengths divisible by, but
+ longer than 256 bits. Analysis suggests that attacks against RSA, DSA
+ and DH private keys are impossible. This is because the subroutine in
+ question is not used in operations with the private key itself and an input
+ of the attacker's direct choice. Otherwise the bug can manifest itself as
+ transient authentication and key negotiation failures or reproducible
+ erroneous outcome of public-key operations with specially crafted input.
+ Among EC algorithms only Brainpool P-512 curves are affected and one
+ presumably can attack ECDH key negotiation. Impact was not analyzed in
+ detail, because pre-requisites for attack are considered unlikely. Namely
+ multiple clients have to choose the curve in question and the server has to
+ share the private key among them, neither of which is default behaviour.
+ Even then only clients that chose the curve will be affected.
+
+ This issue was publicly reported as transient failures and was not
+ initially recognized as a security issue. Thanks to Richard Morgan for
+ providing reproducible case.
+ (CVE-2016-7055)
+ [Andy Polyakov]
+
*) Removed automatic addition of RPATH in shared libraries and executables,
as this was a remainder from OpenSSL 1.0.x and isn't needed any more.
[Richard Levitte]
Major changes between OpenSSL 1.1.0a and OpenSSL 1.1.0b [26 Sep 2016]
+ o ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054)
+ o CMS Null dereference (CVE-2016-7053)
+ o Montgomery multiplication may produce incorrect results (CVE-2016-7055)
o Fix Use After Free for large message sizes (CVE-2016-6309)
Major changes between OpenSSL 1.1.0 and OpenSSL 1.1.0a [22 Sep 2016]