From: Matt Caswell Date: Wed, 15 Oct 2014 09:50:25 +0000 (+0100) Subject: Update to CHANGES file X-Git-Tag: OpenSSL_1_0_0o~2 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=6469c947f5536ec5d0ac7432cc46d55bd0dac2f8;p=oweals%2Fopenssl.git Update to CHANGES file Reviewed-by: Bodo Möller --- diff --git a/CHANGES b/CHANGES index 21446c5dc1..cc4e4cf77b 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,25 @@ Changes between 1.0.0n and 1.0.0o [xx XXX xxxx] + *) Session Ticket Memory Leak. + + When an OpenSSL SSL/TLS/DTLS server receives a session ticket the + integrity of that ticket is first verified. In the event of a session + ticket integrity check failing, OpenSSL will fail to free memory + causing a memory leak. By sending a large number of invalid session + tickets an attacker could exploit this issue in a Denial Of Service + attack. + (CVE-2014-3567) + [Steve Henson] + + *) Build option no-ssl3 is incomplete. + + When OpenSSL is configured with "no-ssl3" as a build option, servers + could accept and complete a SSL 3.0 handshake, and clients could be + configured to send them. + (CVE-2014-3568) + [Akamai and the OpenSSL team] + *) Add support for TLS_FALLBACK_SCSV. Client applications doing fallback retries should call SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).