Update CHANGES and NEWS for the new release

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-02 15:38:32 +01:00 · 2015-07-02 15:38:32 +01:00 · 5627e0f77d
commit 5627e0f77d
parent 9dee5244e1
2 changed files with 13 additions and 2 deletions
--- a/13
+++ b/13
@ -4,7 +4,18 @@

 Changes between 1.0.2c and 1.0.2d [xx XXX xxxx]

-  *)
+  *) Alternate chains certificate forgery
+
+     During certificate verfification, OpenSSL will attempt to find an
+     alternative certificate chain if the first attempt to build such a chain
+     fails. An error in the implementation of this logic can mean that an
+     attacker could cause certain checks on untrusted certificates to be
+     bypassed, such as the CA flag, enabling them to use a valid leaf
+     certificate to act as a CA and "issue" an invalid certificate.
+
+     This issue was reported to OpenSSL by Adam Langley/David Benjamin
+     (Google/BoringSSL).
+     [Matt Caswell]

 Changes between 1.0.2b and 1.0.2c [12 Jun 2015]

--- a/2
+++ b/2
@ -7,7 +7,7 @@

  Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [under development]

-      o
+      o Alternate chains certificate forgery (CVE-2015-1793)

  Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015]