Update for 0.9.8s and 1.0.0f, and for 1.0.1 branch.

(While the 1.0.0f CHANGES entry on VOS PRNG seeding was missing
in HEAD, the actual code is here already.)

diff --git a/CHANGES b/CHANGES
index d6b2a9cfce95ab1c53b6b911ddf9d1be75bc5677..0435e2918ec4ac688ced05da5c2b6b96af0e19fe 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -279,9 +279,6 @@
      (removal of unnecessary code)
      [Peter Sylvester <peter.sylvester@edelweb.fr>]
 
-  *) Add -attime option to openssl utilities.
-     [Peter Eckersley <pde@eff.org>, Ben Laurie and Steve Henson]
-
   *) Add TLS key material exporter from RFC 5705.
      [Eric Rescorla]
 
@@ -407,8 +404,8 @@
      keep original code iff non-FIPS operations are allowed.
      [Steve Henson]
 
-  *) Add -attime option to openssl verify.
-     [Peter Eckersley <pde@eff.org> and Ben Laurie]
+  *) Add -attime option to openssl utilities.
+     [Peter Eckersley <pde@eff.org>, Ben Laurie and Steve Henson]
 
   *) Redirect DSA and DH operations to FIPS module in FIPS mode.
      [Steve Henson]
@@ -552,6 +549,9 @@
      and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577)
      [Rob Austein <sra@hactrn.net>]
 
+  *) Improved PRNG seeding for VOS.
+     [Paul Green <Paul.Green@stratus.com>]
+
   *) Fix ssl_ciph.c set-up race.
      [Adam Langley (Google)]
 
@@ -1480,7 +1480,36 @@
   *) Change 'Configure' script to enable Camellia by default.
      [NTT]
   
- Changes between 0.9.8r and 0.9.8s [xx XXX xxxx]
+ Changes between 0.9.8r and 0.9.8s [4 Jan 2012]
+
+  *) Nadhem Alfardan and Kenny Paterson have discovered an extension
+     of the Vaudenay padding oracle attack on CBC mode encryption
+     which enables an efficient plaintext recovery attack against
+     the OpenSSL implementation of DTLS. Their attack exploits timing
+     differences arising during decryption processing. A research
+     paper describing this attack can be found at:
+                  http://www.isg.rhul.ac.uk/~kp/dtls.pdf
+     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+     Security Group at Royal Holloway, University of London
+     (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
+     <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
+     for preparing the fix. (CVE-2011-4108)
+     [Robin Seggelmann, Michael Tuexen]
+
+  *) Stop policy check failure freeing same buffer twice. (CVE-2011-4109)
+     [Ben Laurie, Kasper <ekasper@google.com>]
+
+  *) Clear bytes used for block padding of SSL 3.0 records.
+     (CVE-2011-4576)
+     [Adam Langley (Google)]
+
+  *) Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619)
+     [Adam Langley (Google)]
+ 
+  *) Prevent malformed RFC3779 data triggering an assertion failure.
+     Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
+     and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577)
+     [Rob Austein <sra@hactrn.net>]
 
   *) Fix ssl_ciph.c set-up race.
      [Adam Langley (Google)]