From: Dr. Stephen Henson <steve@openssl.org>
Date: Thu, 5 Jun 2014 08:00:01 +0000 (+0100)
Subject: Update CHANGES and NEWS
X-Git-Tag: OpenSSL_1_0_0m~2
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=b9c9cd3ded07fd1e23fc438f719cea823583d3c0;p=oweals%2Fopenssl.git

Update CHANGES and NEWS
---

diff --git a/CHANGES b/CHANGES
index 6d6be97a92..82aa7aeb7b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,37 @@
 
  Changes between 1.0.0l and 1.0.0m [xx XXX xxxx]
 
+  *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
+     handshake can force the use of weak keying material in OpenSSL
+     SSL/TLS clients and servers.
+
+     Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
+     researching this issue. (CVE-2014-0224)
+     [KIKUCHI Masashi, Steve Henson]
+
+  *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
+     OpenSSL DTLS client the code can be made to recurse eventually crashing
+     in a DoS attack.
+
+     Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
+     (CVE-2014-0221)
+     [Imre Rad, Steve Henson]
+
+  *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
+     be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
+     client or server. This is potentially exploitable to run arbitrary
+     code on a vulnerable client or server.
+
+     Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
+     [Jüri Aedla, Steve Henson]
+
+  *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
+     are subject to a denial of service attack.
+
+     Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
+     this issue. (CVE-2014-3470)
+     [Felix Gröbert, Ivan Fratric, Steve Henson]
+
   *) Harmonize version and its documentation. -f flag is used to display
      compilation flags.
      [mancha <mancha1@zoho.com>]
diff --git a/NEWS b/NEWS
index 41e742ea1b..a2231a2aa6 100644
--- a/NEWS
+++ b/NEWS
@@ -7,7 +7,12 @@
 
   Major changes between OpenSSL 1.0.0l and OpenSSL 1.0.0m [under development]
 
+      o Fix for CVE-2014-0224
+      o Fix for CVE-2014-0221
+      o Fix for CVE-2014-0195
+      o Fix for CVE-2014-3470
       o Fix for CVE-2014-0076
+      o Fix for CVE-2010-5298
 
   Major changes between OpenSSL 1.0.0k and OpenSSL 1.0.0l [6 Jan 2014]