From: Dr. Stephen Henson Date: Tue, 7 Jan 2014 15:38:15 +0000 (+0000) Subject: Sync CHANGES X-Git-Tag: OpenSSL_1_0_2-beta1~105 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=802db0fab23cd32e320c493aced33fc488167d42;p=oweals%2Fopenssl.git Sync CHANGES --- diff --git a/CHANGES b/CHANGES index 76a477cead..0b49a88c91 100644 --- a/CHANGES +++ b/CHANGES @@ -2,7 +2,7 @@ OpenSSL CHANGES _______________ - Changes between 1.0.1e and 1.0.2 [xx XXX xxxx] + Changes between 1.0.1f and 1.0.2 [xx XXX xxxx] *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file(): this fixes a limiation in previous versions of OpenSSL. @@ -295,6 +295,26 @@ certificates. [Steve Henson] + Changes between 1.0.1e and 1.0.1f [6 Jan 2014] + + *) Fix for TLS record tampering bug. A carefully crafted invalid + handshake could crash OpenSSL with a NULL pointer exception. + Thanks to Anton Johansson for reporting this issues. + (CVE-2013-4353) + + *) Keep original DTLS digest and encryption contexts in retransmission + structures so we can use the previous session parameters if they need + to be resent. (CVE-2013-6450) + [Steve Henson] + + *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which + avoids preferring ECDHE-ECDSA ciphers when the client appears to be + Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for + several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug + is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing + 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer. + [Rob Stradling, Adam Langley] + Changes between 1.0.1d and 1.0.1e [11 Feb 2013] *) Correct fix for CVE-2013-0169. The original didn't work on AES-NI