From 84236041c176c8f4b35b6fbafc81f79efd060c09 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Bodo=20M=C3=B6ller?= Date: Fri, 11 Oct 2002 17:53:21 +0000 Subject: [PATCH] synchronize with 0.9.6-stable version of this file --- CHANGES | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/CHANGES b/CHANGES index f77726fc8f..7ec74c5f84 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,14 @@ Changes between 0.9.6h and 0.9.7 [XX xxx 2002] + *) Change from security patch (see 0.9.6e below) that did not affect + the 0.9.6 release series: + + Remote buffer overflow in SSL3 protocol - an attacker could + supply an oversized master key in Kerberos-enabled versions. + (CAN-2002-0657) + [Ben Laurie (CHATS)] + *) Change the SSL kerb5 codes to match RFC 2712. [Richard Levitte] @@ -1719,7 +1727,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k overflow checks added in 0.9.6e. This prevents DoS (the assertions could call abort()). [Arne Ansper , Bodo Moeller] - + Changes between 0.9.6d and 0.9.6e [30 Jul 2002] *) Add various sanity checks to asn1_get_length() to reject @@ -1770,11 +1778,6 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k too small for 64 bit platforms. (CAN-2002-0655) [Matthew Byng-Maddick and Ben Laurie (CHATS)> - *) Remote buffer overflow in SSL3 protocol - an attacker could - supply an oversized master key in Kerberos-enabled versions. - (CAN-2002-0657) - [Ben Laurie (CHATS)] - *) Remote buffer overflow in SSL3 protocol - an attacker could supply an oversized session ID to a client. (CAN-2002-0656) [Ben Laurie (CHATS)] @@ -1869,13 +1872,13 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k value is 0. [Richard Levitte] - *) Add the configuration target linux-s390x. - [Neale Ferguson via Richard Levitte] - *) [In 0.9.6d-engine release:] Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). [Toomas Kiisk via Richard Levitte] + *) Add the configuration target linux-s390x. + [Neale Ferguson via Richard Levitte] + *) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag variable as an indication that a ClientHello message has been -- 2.25.1