CHANGES and NEWS updates for release

Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Steve Henson <steve@openssl.org>
2015-01-08 13:37:28 +00:00 · 2015-01-08 13:37:28 +00:00 · 1dc6a5441a
commit 1dc6a5441a
parent a4aa188799
2 changed files with 31 additions and 1 deletions
--- a/25
+++ b/25
@ -4,6 +4,20 @@

 Changes between 0.9.8zc and 0.9.8zd [xx XXX xxxx]

+  *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
+     message can cause a segmentation fault in OpenSSL due to a NULL pointer
+     dereference. This could lead to a Denial Of Service attack. Thanks to
+     Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
+     (CVE-2014-3571)
+     [Steve Henson]
+
+  *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
+     built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
+     method would be set to NULL which could later result in a NULL pointer
+     dereference. Thanks to Frank Schmirler for reporting this issue.
+     (CVE-2014-3569)
+     [Kurt Roeckx]
+
  *) Abort handshake if server key exchange message is omitted for ephemeral
     ECDH ciphersuites.

@ -58,6 +72,17 @@
     (CVE-2014-8275)
     [Steve Henson]

+   *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
+      results on some platforms, including x86_64. This bug occurs at random
+      with a very low probability, and is not known to be exploitable in any
+      way, though its exact impact is difficult to determine. Thanks to Pieter
+      Wuille (Blockstream) who reported this issue and also suggested an initial
+      fix. Further analysis was conducted by the OpenSSL development team and
+      Adam Langley of Google. The final fix was developed by Andy Polyakov of
+      the OpenSSL core team.
+      (CVE-2014-3570)
+      [Andy Polyakov]
+
 Changes between 0.9.8zb and 0.9.8zc [15 Oct 2014]

  *) Session Ticket Memory Leak.
--- a/7
+++ b/7
@ -7,7 +7,12 @@

  Major changes between OpenSSL 0.9.8zc and OpenSSL 0.9.8zd [under development]

-      o
+      o Fix for CVE-2014-3571
+      o Fix for CVE-2014-3569
+      o Fix for CVE-2014-3572
+      o Fix for CVE-2015-0204
+      o Fix for CVE-2014-8275
+      o Fix for CVE-2014-3570

  Major changes between OpenSSL 0.9.8zb and OpenSSL 0.9.8zc [15 Oct 2014]: