Update CHANGES and NEWS ready for release

Update CHANGES and NEWS with details of the issues fixed in the forthcoming release. Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-27 13:55:05 +00:00 · 2016-01-27 13:55:05 +00:00 · 5fed60f962
commit 5fed60f962
parent 4040a7fd10
2 changed files with 13 additions and 1 deletions
--- a/12
+++ b/12
@ -4,6 +4,18 @@

 Changes between 1.0.1q and 1.0.1r [xx XXX xxxx]

+  *) SSLv2 doesn't block disabled ciphers
+
+     A malicious client can negotiate SSLv2 ciphers that have been disabled on
+     the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
+     been disabled, provided that the SSLv2 protocol was not also disabled via
+     SSL_OP_NO_SSLv2.
+
+     This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
+     and Sebastian Schinzel.
+     (CVE-2015-3197)
+     [Viktor Dukhovni]
+
  *) Reject DH handshakes with parameters shorter than 1024 bits.
     [Kurt Roeckx]

--- a/2
+++ b/2
@ -7,7 +7,7 @@

  Major changes between OpenSSL 1.0.1q and OpenSSL 1.0.1r [under development]

-      o
+      o SSLv2 doesn't block disabled ciphers (CVE-2015-3197)

  Major changes between OpenSSL 1.0.1p and OpenSSL 1.0.1q [3 Dec 2015]