From 031cbecf86d91550439737181c6b19e7259ad939 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Mon, 4 Feb 2013 23:18:46 +0000 Subject: [PATCH] update NEWS and CHANGES --- CHANGES | 13 +++++++++++++ NEWS | 1 + 2 files changed, 14 insertions(+) diff --git a/CHANGES b/CHANGES index 8adac3b6d4..06f5540d4b 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,19 @@ Changes between 0.9.8x and 0.9.8y [xx XXX xxxx] + *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time. + + This addresses the flaw in CBC record processing discovered by + Nadhem Alfardan and Kenny Paterson. Details of this attack can be found + at: http://www.isg.rhul.ac.uk/tls/ + + Thanks go to Nadhem Alfardan and Kenny Paterson of the Information + Security Group at Royal Holloway, University of London + (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and + Emilia Käsper for the initial patch. + (CVE-2013-0169) + [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson] + *) Return an error when checking OCSP signatures when key is NULL. This fixes a DoS attack. (CVE-2013-0166) [Steve Henson] diff --git a/NEWS b/NEWS index 3217472c19..0de954cf4e 100644 --- a/NEWS +++ b/NEWS @@ -7,6 +7,7 @@ Major changes between OpenSSL 0.9.8x and OpenSSL 0.9.8y: + o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169 o Fix OCSP bad key DoS attack CVE-2013-0166 Major changes between OpenSSL 0.9.8w and OpenSSL 0.9.8x: -- 2.25.1