Sync with 1.0.1 branch.

(CVE-2011-0014 OCSP stapling fix has been applied to HEAD as well.)

Sync with 1.0.1 branch.
(CVE-2011-0014 OCSP stapling fix has been applied to HEAD as well.)
c415adc2 · Bodo Möller · 9afe9509 · c415adc2
隐藏空白更改
内联并排

Showing with 29 addition and 3 deletion

CHANGES CHANGES +29 -3

未找到文件。
--- a/CHANGES
+++ b/CHANGES
@@ -146,7 +146,7 @@
     whose return value is often ignored. 
     [Steve Henson]
  
- Changes between 1.0.0c and 1.0.1  [xx XXX xxxx]
+ Changes between 1.0.0d and 1.0.1  [xx XXX xxxx]

  *) Add functions to copy EVP_PKEY_METHOD and retrieve flags and id.
     [Steve Henson]
@@ -185,7 +185,10 @@
       Add command line options to s_client/s_server.
     [Steve Henson]

- Changes between 1.0.0c and 1.0.0d [xx XXX xxxx]
+ Changes between 1.0.0c and 1.0.0d [8 Feb 2011]
+
+  *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
+     [Neel Mehta, Adam Langley, Bodo Moeller (Google)]

  *) Fix bug in string printing code: if *any* escaping is enabled we must
     escape the escape character (backslash) or the resulting string is
@@ -1062,11 +1065,34 @@
  *) Change 'Configure' script to enable Camellia by default.
     [NTT]
  
- Changes between 0.9.8o and 0.9.8p [xx XXX xxxx]
+ Changes between 0.9.8q and 0.9.8r [8 Feb 2011]
+
+  *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
+     [Neel Mehta, Adam Langley, Bodo Moeller (Google)]
+
+  *) Fix bug in string printing code: if *any* escaping is enabled we must
+     escape the escape character (backslash) or the resulting string is
+     ambiguous.
+     [Steve Henson]
+
+ Changes between 0.9.8p and 0.9.8q [2 Dec 2010]
+
+  *) Disable code workaround for ancient and obsolete Netscape browsers
+     and servers: an attacker can use it in a ciphersuite downgrade attack.
+     Thanks to Martin Rex for discovering this bug. CVE-2010-4180
+     [Steve Henson]
+
+  *) Fixed J-PAKE implementation error, originally discovered by
+     Sebastien Martini, further info and confirmation from Stefan
+     Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
+     [Ben Laurie]
+
+ Changes between 0.9.8o and 0.9.8p [16 Nov 2010]

  *) Fix extension code to avoid race conditions which can result in a buffer
     overrun vulnerability: resumed sessions must not be modified as they can
     be shared by multiple threads. CVE-2010-3864
+     [Steve Henson]

  *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
     [Steve Henson]