Update CHANGES and NEWS

2013-02-04 22:57:49 +00:00 · 2013-02-04 22:57:49 +00:00 · 8a5d624d5b
commit 8a5d624d5b
parent ae4a75cecf
2 changed files with 14 additions and 0 deletions
--- a/13
+++ b/13
@ -4,6 +4,19 @@

 Changes between 1.0.0j and 1.0.0k [xx XXX xxxx]

+  *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
+
+     This addresses the flaw in CBC record processing discovered by 
+     Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
+     at: http://www.isg.rhul.ac.uk/tls/     
+
+     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+     Security Group at Royal Holloway, University of London
+     (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
+     Emilia Käsper for the initial patch.
+     (CVE-2013-0169)
+     [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
+
  *) Return an error when checking OCSP signatures when key is NULL.
     This fixes a DoS attack. (CVE-2013-0166)
     [Steve Henson]
--- a/1
+++ b/1
@ -7,6 +7,7 @@

  Major changes between OpenSSL 1.0.0j and OpenSSL 1.0.0k:

+      o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
      o Fix OCSP bad key DoS attack CVE-2013-0166

  Major changes between OpenSSL 1.0.0i and OpenSSL 1.0.0j: