generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Updates to CHANGES file

Browse Source 
Reviewed-by: Bodo Möller <bodo@openssl.org>
This commit is contained in:
Matt Caswell 2014-10-15 10:52:00 +01:00 committed by Geoff Thorpe
parent cd332a0750
commit 4d2efa29f6
1 changed files with 19 additions and 0 deletions

19
CHANGES

@ -4,6 +4,25 @@
Changes between 0.9.8zb and 0.9.8zc [xx XXX xxxx] Changes between 0.9.8zb and 0.9.8zc [xx XXX xxxx]
*) Session Ticket Memory Leak.
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service
attack.
(CVE-2014-3567)
[Steve Henson]
*) Build option no-ssl3 is incomplete.
When OpenSSL is configured with "no-ssl3" as a build option, servers
could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.
(CVE-2014-3568)
[Akamai and the OpenSSL team]
*) Add support for TLS_FALLBACK_SCSV. *) Add support for TLS_FALLBACK_SCSV.
Client applications doing fallback retries should call Client applications doing fallback retries should call
SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV). SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).