generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update CHANGES and NEWS

Browse Source
This commit is contained in:
Dr. Stephen Henson 2013-02-04 22:57:49 +00:00
parent ae4a75cecf
commit 8a5d624d5b
2 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
CHANGES
View File

@ -4,6 +4,19 @@
Changes between 1.0.0j and 1.0.0k [xx XXX xxxx] Changes between 1.0.0j and 1.0.0k [xx XXX xxxx]
*) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
This addresses the flaw in CBC record processing discovered by
Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
at: http://www.isg.rhul.ac.uk/tls/
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
Security Group at Royal Holloway, University of London
(www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
Emilia Käsper for the initial patch.
(CVE-2013-0169)
[Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
*) Return an error when checking OCSP signatures when key is NULL. *) Return an error when checking OCSP signatures when key is NULL.
This fixes a DoS attack. (CVE-2013-0166) This fixes a DoS attack. (CVE-2013-0166)
[Steve Henson] [Steve Henson]

1
NEWS
View File

@ -7,6 +7,7 @@
Major changes between OpenSSL 1.0.0j and OpenSSL 1.0.0k: Major changes between OpenSSL 1.0.0j and OpenSSL 1.0.0k:
o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
o Fix OCSP bad key DoS attack CVE-2013-0166 o Fix OCSP bad key DoS attack CVE-2013-0166
Major changes between OpenSSL 1.0.0i and OpenSSL 1.0.0j: Major changes between OpenSSL 1.0.0i and OpenSSL 1.0.0j: