From: Dr. Stephen Henson Date: Thu, 5 Jun 2014 07:56:20 +0000 (+0100) Subject: Update CHANGES and NEWS X-Git-Tag: OpenSSL_1_0_1h~1 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=aabbe99fcb802c3c6d4425c3a5f4143f2616e9ed;p=oweals%2Fopenssl.git Update CHANGES and NEWS --- diff --git a/CHANGES b/CHANGES index 5e94be26df..c6c781e7a0 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,37 @@ Changes between 1.0.1g and 1.0.1h [xx XXX xxxx] + *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted + handshake can force the use of weak keying material in OpenSSL + SSL/TLS clients and servers. + + Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and + researching this issue. (CVE-2014-0224) + [KIKUCHI Masashi, Steve Henson] + + *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an + OpenSSL DTLS client the code can be made to recurse eventually crashing + in a DoS attack. + + Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. + (CVE-2014-0221) + [Imre Rad, Steve Henson] + + *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can + be triggered by sending invalid DTLS fragments to an OpenSSL DTLS + client or server. This is potentially exploitable to run arbitrary + code on a vulnerable client or server. + + Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195) + [Jüri Aedla, Steve Henson] + + *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites + are subject to a denial of service attack. + + Thanks to Felix Gröbert and Ivan Fratric at Google for discovering + this issue. (CVE-2014-3470) + [Felix Gröbert, Ivan Fratric, Steve Henson] + *) Harmonize version and its documentation. -f flag is used to display compilation flags. [mancha ] diff --git a/NEWS b/NEWS index c23ac7b9ea..bf761c12b5 100644 --- a/NEWS +++ b/NEWS @@ -7,7 +7,11 @@ Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [under development] - o + o Fix for CVE-2014-0224 + o Fix for CVE-2014-0221 + o Fix for CVE-2014-0195 + o Fix for CVE-2014-3470 + o Fix for CVE-2010-5298 Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014]