Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/external/bsd/openssl/dist Changes between 1.0.1e and ...
details: https://anonhg.NetBSD.org/src/rev/7b3bcc75f77f
branches: trunk
changeset: 325921:7b3bcc75f77f
user: christos <christos%NetBSD.org@localhost>
date: Sat Jan 11 18:11:10 2014 +0000
description:
Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
*) Fix for TLS record tampering bug. A carefully crafted invalid
handshake could crash OpenSSL with a NULL pointer exception.
Thanks to Anton Johansson for reporting this issues.
(CVE-2013-4353)
*) Keep original DTLS digest and encryption contexts in retransmission
structures so we can use the previous session parameters if they need
to be resent. (CVE-2013-6450)
[Steve Henson]
*) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
avoids preferring ECDHE-ECDSA ciphers when the client appears to be
Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for
several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
[Rob Stradling, Adam Langley]
diffstat:
crypto/external/bsd/openssl/dist/CHANGES | 163 +-
crypto/external/bsd/openssl/dist/Makefile | 5 +-
crypto/external/bsd/openssl/dist/Makefile.org | 3 +-
crypto/external/bsd/openssl/dist/NEWS | 184 +-
crypto/external/bsd/openssl/dist/README | 2 +-
crypto/external/bsd/openssl/dist/apps/Makefile | 17 +-
crypto/external/bsd/openssl/dist/apps/Makefile.save | 1056 +++++++++
crypto/external/bsd/openssl/dist/apps/apps.h | 2 +
crypto/external/bsd/openssl/dist/apps/openssl.c | 1 +
crypto/external/bsd/openssl/dist/apps/pkcs12.c | 9 +-
crypto/external/bsd/openssl/dist/config | 2 +-
crypto/external/bsd/openssl/dist/crypto/Makefile | 4 +-
crypto/external/bsd/openssl/dist/crypto/Makefile.save | 219 ++
crypto/external/bsd/openssl/dist/crypto/aes/Makefile.save | 153 +
crypto/external/bsd/openssl/dist/crypto/aes/asm/aes-parisc.pl | 3 +-
crypto/external/bsd/openssl/dist/crypto/aes/asm/bsaes-x86_64.pl | 73 +-
crypto/external/bsd/openssl/dist/crypto/armcap.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/asn1/Makefile.save | 930 ++++++++
crypto/external/bsd/openssl/dist/crypto/asn1/a_int.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/bf/Makefile.save | 101 +
crypto/external/bsd/openssl/dist/crypto/bio/Makefile.save | 222 ++
crypto/external/bsd/openssl/dist/crypto/bio/bss_dgram.c | 6 +-
crypto/external/bsd/openssl/dist/crypto/bn/Makefile | 4 +-
crypto/external/bsd/openssl/dist/crypto/bn/Makefile.save | 377 +++
crypto/external/bsd/openssl/dist/crypto/bn/asm/mips-mont.pl | 2 +-
crypto/external/bsd/openssl/dist/crypto/bn/asm/mips.pl | 44 +-
crypto/external/bsd/openssl/dist/crypto/bn/asm/parisc-mont.pl | 4 +-
crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-gf2m.pl | 3 +-
crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-mont5.pl | 4 +-
crypto/external/bsd/openssl/dist/crypto/bn/bn_nist.c | 55 +-
crypto/external/bsd/openssl/dist/crypto/buffer/Makefile.save | 97 +
crypto/external/bsd/openssl/dist/crypto/buffer/buffer.h | 2 +-
crypto/external/bsd/openssl/dist/crypto/camellia/Makefile.save | 110 +
crypto/external/bsd/openssl/dist/crypto/cast/Makefile.save | 102 +
crypto/external/bsd/openssl/dist/crypto/cmac/Makefile.save | 111 +
crypto/external/bsd/openssl/dist/crypto/cms/Makefile.save | 284 ++
crypto/external/bsd/openssl/dist/crypto/comp/Makefile.save | 108 +
crypto/external/bsd/openssl/dist/crypto/conf/Makefile.save | 152 +
crypto/external/bsd/openssl/dist/crypto/des/Makefile.save | 279 ++
crypto/external/bsd/openssl/dist/crypto/dh/Makefile.save | 180 +
crypto/external/bsd/openssl/dist/crypto/dsa/Makefile.save | 209 +
crypto/external/bsd/openssl/dist/crypto/dso/Makefile.save | 150 +
crypto/external/bsd/openssl/dist/crypto/ec/Makefile.save | 263 ++
crypto/external/bsd/openssl/dist/crypto/ec/ec_ameth.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/ec/ec_asn1.c | 6 +-
crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c | 10 +-
crypto/external/bsd/openssl/dist/crypto/ecdh/Makefile.save | 116 +
crypto/external/bsd/openssl/dist/crypto/ecdsa/Makefile.save | 140 +
crypto/external/bsd/openssl/dist/crypto/engine/Makefile.save | 447 ++++
crypto/external/bsd/openssl/dist/crypto/engine/eng_rdrand.c | 1 +
crypto/external/bsd/openssl/dist/crypto/err/Makefile.save | 110 +
crypto/external/bsd/openssl/dist/crypto/evp/Makefile | 2 +-
crypto/external/bsd/openssl/dist/crypto/evp/Makefile.save | 776 +++++++
crypto/external/bsd/openssl/dist/crypto/evp/digest.c | 7 +-
crypto/external/bsd/openssl/dist/crypto/evp/e_aes_cbc_hmac_sha1.c | 5 +-
crypto/external/bsd/openssl/dist/crypto/evp/e_des3.c | 6 +-
crypto/external/bsd/openssl/dist/crypto/evp/p5_crpt2.c | 40 +-
crypto/external/bsd/openssl/dist/crypto/hmac/Makefile.save | 110 +
crypto/external/bsd/openssl/dist/crypto/idea/Makefile.save | 89 +
crypto/external/bsd/openssl/dist/crypto/krb5/Makefile.save | 84 +
crypto/external/bsd/openssl/dist/crypto/lhash/Makefile.save | 88 +
crypto/external/bsd/openssl/dist/crypto/md4/Makefile.save | 89 +
crypto/external/bsd/openssl/dist/crypto/md5/Makefile.save | 102 +
crypto/external/bsd/openssl/dist/crypto/mdc2/Makefile.save | 93 +
crypto/external/bsd/openssl/dist/crypto/modes/Makefile | 5 +-
crypto/external/bsd/openssl/dist/crypto/modes/Makefile.save | 144 +
crypto/external/bsd/openssl/dist/crypto/modes/asm/ghash-alpha.pl | 25 +-
crypto/external/bsd/openssl/dist/crypto/modes/asm/ghash-parisc.pl | 1 +
crypto/external/bsd/openssl/dist/crypto/modes/cbc128.c | 25 +-
crypto/external/bsd/openssl/dist/crypto/modes/ccm128.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/modes/cts128.c | 28 +-
crypto/external/bsd/openssl/dist/crypto/modes/gcm128.c | 104 +-
crypto/external/bsd/openssl/dist/crypto/modes/modes_lcl.h | 9 +-
crypto/external/bsd/openssl/dist/crypto/objects/Makefile.save | 130 +
crypto/external/bsd/openssl/dist/crypto/ocsp/Makefile.save | 213 ++
crypto/external/bsd/openssl/dist/crypto/pariscid.pl | 41 +-
crypto/external/bsd/openssl/dist/crypto/pem/Makefile.save | 258 ++
crypto/external/bsd/openssl/dist/crypto/pem/pem_info.c | 1 +
crypto/external/bsd/openssl/dist/crypto/pkcs12/Makefile.save | 286 ++
crypto/external/bsd/openssl/dist/crypto/pkcs12/p12_crt.c | 7 +
crypto/external/bsd/openssl/dist/crypto/pkcs7/Makefile.save | 194 +
crypto/external/bsd/openssl/dist/crypto/pqueue/Makefile.save | 83 +
crypto/external/bsd/openssl/dist/crypto/rand/Makefile.save | 164 +
crypto/external/bsd/openssl/dist/crypto/rand/rand.h | 1 +
crypto/external/bsd/openssl/dist/crypto/rand/rand_err.c | 1 +
crypto/external/bsd/openssl/dist/crypto/rand/rand_lib.c | 8 +
crypto/external/bsd/openssl/dist/crypto/rc2/Makefile.save | 90 +
crypto/external/bsd/openssl/dist/crypto/rc4/Makefile.save | 125 +
crypto/external/bsd/openssl/dist/crypto/rc4/asm/rc4-parisc.pl | 3 +-
crypto/external/bsd/openssl/dist/crypto/ripemd/Makefile.save | 95 +
crypto/external/bsd/openssl/dist/crypto/rsa/Makefile.save | 308 ++
crypto/external/bsd/openssl/dist/crypto/rsa/rsa_ameth.c | 8 +-
crypto/external/bsd/openssl/dist/crypto/rsa/rsa_chk.c | 6 +
crypto/external/bsd/openssl/dist/crypto/rsa/rsa_pmeth.c | 2 +
crypto/external/bsd/openssl/dist/crypto/seed/Makefile.save | 106 +
crypto/external/bsd/openssl/dist/crypto/sha/Makefile | 4 +-
crypto/external/bsd/openssl/dist/crypto/sha/Makefile.save | 168 +
crypto/external/bsd/openssl/dist/crypto/sha/asm/sha1-parisc.pl | 3 +-
crypto/external/bsd/openssl/dist/crypto/sha/asm/sha1-x86_64.pl | 4 +-
crypto/external/bsd/openssl/dist/crypto/sha/asm/sha512-mips.pl | 2 +-
crypto/external/bsd/openssl/dist/crypto/sha/asm/sha512-parisc.pl | 2 +
crypto/external/bsd/openssl/dist/crypto/sha/sha512.c | 9 +-
crypto/external/bsd/openssl/dist/crypto/srp/Makefile.save | 98 +
crypto/external/bsd/openssl/dist/crypto/srp/srp_grps.h | 816 +++---
crypto/external/bsd/openssl/dist/crypto/srp/srp_lib.c | 18 +-
crypto/external/bsd/openssl/dist/crypto/stack/Makefile.save | 84 +
crypto/external/bsd/openssl/dist/crypto/ts/Makefile.save | 269 ++
crypto/external/bsd/openssl/dist/crypto/txt_db/Makefile.save | 84 +
crypto/external/bsd/openssl/dist/crypto/ui/Makefile.save | 111 +
crypto/external/bsd/openssl/dist/crypto/whrlpool/Makefile.save | 96 +
crypto/external/bsd/openssl/dist/crypto/x509/Makefile.save | 407 +++
crypto/external/bsd/openssl/dist/crypto/x509/x_all.c | 2 +
crypto/external/bsd/openssl/dist/crypto/x509v3/Makefile.save | 591 +++++
crypto/external/bsd/openssl/dist/crypto/x86cpuid.pl | 2 +
crypto/external/bsd/openssl/dist/demos/x509/mkreq.c | 5 +-
crypto/external/bsd/openssl/dist/doc/apps/rsa.pod | 15 +
crypto/external/bsd/openssl/dist/doc/crypto/X509_STORE_CTX_get_error.pod | 2 +
crypto/external/bsd/openssl/dist/doc/crypto/ecdsa.pod | 10 +-
crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_set_options.pod | 5 +-
crypto/external/bsd/openssl/dist/doc/ssl/SSL_connect.pod | 10 +-
crypto/external/bsd/openssl/dist/engines/Makefile.save | 335 +++
crypto/external/bsd/openssl/dist/engines/ccgost/Makefile.save | 275 ++
crypto/external/bsd/openssl/dist/engines/ccgost/gost89.h | 4 -
crypto/external/bsd/openssl/dist/openssl.spec | 9 +-
crypto/external/bsd/openssl/dist/ssl/Makefile.save | 1061 ++++++++++
crypto/external/bsd/openssl/dist/ssl/d1_both.c | 13 +-
crypto/external/bsd/openssl/dist/ssl/d1_clnt.c | 36 +-
crypto/external/bsd/openssl/dist/ssl/d1_lib.c | 1 +
crypto/external/bsd/openssl/dist/ssl/s3_both.c | 8 +-
crypto/external/bsd/openssl/dist/ssl/s3_cbc.c | 2 +-
crypto/external/bsd/openssl/dist/ssl/ssl_lib.c | 8 +-
crypto/external/bsd/openssl/dist/test/Makefile.save | 729 ++++++
crypto/external/bsd/openssl/dist/test/cms-test.pl | 4 +-
crypto/external/bsd/openssl/dist/util/shlib_wrap.sh | 6 +-
134 files changed, 15065 insertions(+), 738 deletions(-)
diffs (truncated from 17914 to 300 lines):
diff -r da3d48e2caab -r 7b3bcc75f77f crypto/external/bsd/openssl/dist/CHANGES
--- a/crypto/external/bsd/openssl/dist/CHANGES Sat Jan 11 17:32:20 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/CHANGES Sat Jan 11 18:11:10 2014 +0000
@@ -2,9 +2,31 @@
OpenSSL CHANGES
_______________
+ Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
+
+ *) Fix for TLS record tampering bug. A carefully crafted invalid
+ handshake could crash OpenSSL with a NULL pointer exception.
+ Thanks to Anton Johansson for reporting this issues.
+ (CVE-2013-4353)
+
+ *) Keep original DTLS digest and encryption contexts in retransmission
+ structures so we can use the previous session parameters if they need
+ to be resent. (CVE-2013-6450)
+ [Steve Henson]
+
+ *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
+ avoids preferring ECDHE-ECDSA ciphers when the client appears to be
+ Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for
+ several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
+ is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
+ 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
+ [Rob Stradling, Adam Langley]
+
Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
- *)
+ *) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
+ supporting platforms or when small records were transferred.
+ [Andy Polyakov, Steve Henson]
Changes between 1.0.1c and 1.0.1d [5 Feb 2013]
@@ -404,6 +426,63 @@
Add command line options to s_client/s_server.
[Steve Henson]
+ Changes between 1.0.0j and 1.0.0k [5 Feb 2013]
+
+ *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
+
+ This addresses the flaw in CBC record processing discovered by
+ Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
+ at: http://www.isg.rhul.ac.uk/tls/
+
+ Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+ Security Group at Royal Holloway, University of London
+ (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
+ Emilia Käsper for the initial patch.
+ (CVE-2013-0169)
+ [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
+
+ *) Return an error when checking OCSP signatures when key is NULL.
+ This fixes a DoS attack. (CVE-2013-0166)
+ [Steve Henson]
+
+ *) Call OCSP Stapling callback after ciphersuite has been chosen, so
+ the right response is stapled. Also change SSL_get_certificate()
+ so it returns the certificate actually sent.
+ See http://rt.openssl.org/Ticket/Display.html?id=2836.
+ (This is a backport)
+ [Rob Stradling <rob.stradling%comodo.com@localhost>]
+
+ *) Fix possible deadlock when decoding public keys.
+ [Steve Henson]
+
+ Changes between 1.0.0i and 1.0.0j [10 May 2012]
+
+ [NB: OpenSSL 1.0.0i and later 1.0.0 patch levels were released after
+ OpenSSL 1.0.1.]
+
+ *) Sanity check record length before skipping explicit IV in DTLS
+ to fix DoS attack.
+
+ Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
+ fuzzing as a service testing platform.
+ (CVE-2012-2333)
+ [Steve Henson]
+
+ *) Initialise tkeylen properly when encrypting CMS messages.
+ Thanks to Solar Designer of Openwall for reporting this issue.
+ [Steve Henson]
+
+ Changes between 1.0.0h and 1.0.0i [19 Apr 2012]
+
+ *) Check for potentially exploitable overflows in asn1_d2i_read_bio
+ BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
+ in CRYPTO_realloc_clean.
+
+ Thanks to Tavis Ormandy, Google Security Team, for discovering this
+ issue and to Adam Langley <agl%chromium.org@localhost> for fixing it.
+ (CVE-2012-2110)
+ [Adam Langley (Google), Tavis Ormandy, Google Security Team]
+
Changes between 1.0.0g and 1.0.0h [12 Mar 2012]
*) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
@@ -1394,6 +1473,86 @@
*) Change 'Configure' script to enable Camellia by default.
[NTT]
+ Changes between 0.9.8x and 0.9.8y [5 Feb 2013]
+
+ *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
+
+ This addresses the flaw in CBC record processing discovered by
+ Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
+ at: http://www.isg.rhul.ac.uk/tls/
+
+ Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+ Security Group at Royal Holloway, University of London
+ (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
+ Emilia Käsper for the initial patch.
+ (CVE-2013-0169)
+ [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
+
+ *) Return an error when checking OCSP signatures when key is NULL.
+ This fixes a DoS attack. (CVE-2013-0166)
+ [Steve Henson]
+
+ *) Call OCSP Stapling callback after ciphersuite has been chosen, so
+ the right response is stapled. Also change SSL_get_certificate()
+ so it returns the certificate actually sent.
+ See http://rt.openssl.org/Ticket/Display.html?id=2836.
+ (This is a backport)
+ [Rob Stradling <rob.stradling%comodo.com@localhost>]
+
+ *) Fix possible deadlock when decoding public keys.
+ [Steve Henson]
+
+ Changes between 0.9.8w and 0.9.8x [10 May 2012]
+
+ *) Sanity check record length before skipping explicit IV in DTLS
+ to fix DoS attack.
+
+ Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
+ fuzzing as a service testing platform.
+ (CVE-2012-2333)
+ [Steve Henson]
+
+ *) Initialise tkeylen properly when encrypting CMS messages.
+ Thanks to Solar Designer of Openwall for reporting this issue.
+ [Steve Henson]
+
+ Changes between 0.9.8v and 0.9.8w [23 Apr 2012]
+
+ *) The fix for CVE-2012-2110 did not take into account that the
+ 'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
+ int in OpenSSL 0.9.8, making it still vulnerable. Fix by
+ rejecting negative len parameter. (CVE-2012-2131)
+ [Tomas Hoger <thoger%redhat.com@localhost>]
+
+ Changes between 0.9.8u and 0.9.8v [19 Apr 2012]
+
+ *) Check for potentially exploitable overflows in asn1_d2i_read_bio
+ BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
+ in CRYPTO_realloc_clean.
+
+ Thanks to Tavis Ormandy, Google Security Team, for discovering this
+ issue and to Adam Langley <agl%chromium.org@localhost> for fixing it.
+ (CVE-2012-2110)
+ [Adam Langley (Google), Tavis Ormandy, Google Security Team]
+
+ Changes between 0.9.8t and 0.9.8u [12 Mar 2012]
+
+ *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
+ in CMS and PKCS7 code. When RSA decryption fails use a random key for
+ content decryption and always return the same error. Note: this attack
+ needs on average 2^20 messages so it only affects automated senders. The
+ old behaviour can be reenabled in the CMS code by setting the
+ CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
+ an MMA defence is not necessary.
+ Thanks to Ivan Nestlerode <inestlerode%us.ibm.com@localhost> for discovering
+ this issue. (CVE-2012-0884)
+ [Steve Henson]
+
+ *) Fix CVE-2011-4619: make sure we really are receiving a
+ client hello before rejecting multiple SGC restarts. Thanks to
+ Ivan Nestlerode <inestlerode%us.ibm.com@localhost> for discovering this bug.
+ [Steve Henson]
+
Changes between 0.9.8s and 0.9.8t [18 Jan 2012]
*) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
@@ -1401,7 +1560,7 @@
Development, Cisco Systems, Inc. for discovering this bug and
preparing a fix. (CVE-2012-0050)
[Antonio Martin]
-
+
Changes between 0.9.8r and 0.9.8s [4 Jan 2012]
*) Nadhem Alfardan and Kenny Paterson have discovered an extension
diff -r da3d48e2caab -r 7b3bcc75f77f crypto/external/bsd/openssl/dist/Makefile
--- a/crypto/external/bsd/openssl/dist/Makefile Sat Jan 11 17:32:20 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/Makefile Sat Jan 11 18:11:10 2014 +0000
@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##
-VERSION=1.0.1e
+VERSION=1.0.1f
MAJOR=1
MINOR=0.1
SHLIB_VERSION_NUMBER=1.0.0
@@ -304,7 +304,8 @@
FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; \
export CC FIPSLD_CC FIPSLD_LIBCRYPTO; \
fi; \
- $(MAKE) -e SHLIBDIRS=crypto build-shared; \
+ $(MAKE) -e SHLIBDIRS=crypto CC=$${CC:-$(CC)} build-shared; \
+ touch -c fips_premain_dso$(EXE_EXT); \
else \
echo "There's no support for shared libraries on this platform" >&2; \
exit 1; \
diff -r da3d48e2caab -r 7b3bcc75f77f crypto/external/bsd/openssl/dist/Makefile.org
--- a/crypto/external/bsd/openssl/dist/Makefile.org Sat Jan 11 17:32:20 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/Makefile.org Sat Jan 11 18:11:10 2014 +0000
@@ -302,7 +302,8 @@
FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; \
export CC FIPSLD_CC FIPSLD_LIBCRYPTO; \
fi; \
- $(MAKE) -e SHLIBDIRS=crypto build-shared; \
+ $(MAKE) -e SHLIBDIRS=crypto CC=$${CC:-$(CC)} build-shared; \
+ touch -c fips_premain_dso$(EXE_EXT); \
else \
echo "There's no support for shared libraries on this platform" >&2; \
exit 1; \
diff -r da3d48e2caab -r 7b3bcc75f77f crypto/external/bsd/openssl/dist/NEWS
--- a/crypto/external/bsd/openssl/dist/NEWS Sat Jan 11 17:32:20 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/NEWS Sat Jan 11 18:11:10 2014 +0000
@@ -5,11 +5,17 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
- Major changes between OpenSSL 1.0.1d and OpenSSL 1.0.1e:
+ Major changes between OpenSSL 1.0.1e and OpenSSL 1.0.1f [6 Jan 2014]
+
+ o Fix for TLS record tampering bug CVE-2013-4353
+ o Fix for TLS version checking bug CVE-2013-6449
+ o Fix for DTLS retransmission bug CVE-2013-6450
+
+ Major changes between OpenSSL 1.0.1d and OpenSSL 1.0.1e [11 Feb 2013]:
o Corrected fix for CVE-2013-0169
- Major changes between OpenSSL 1.0.1c and OpenSSL 1.0.1d:
+ Major changes between OpenSSL 1.0.1c and OpenSSL 1.0.1d [4 Feb 2013]:
o Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version.
o Include the fips configuration module.
@@ -17,24 +23,24 @@
o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
o Fix for TLS AESNI record handling flaw CVE-2012-2686
- Major changes between OpenSSL 1.0.1b and OpenSSL 1.0.1c:
+ Major changes between OpenSSL 1.0.1b and OpenSSL 1.0.1c [10 May 2012]:
o Fix TLS/DTLS record length checking bug CVE-2012-2333
o Don't attempt to use non-FIPS composite ciphers in FIPS mode.
- Major changes between OpenSSL 1.0.1a and OpenSSL 1.0.1b:
+ Major changes between OpenSSL 1.0.1a and OpenSSL 1.0.1b [26 Apr 2012]:
o Fix compilation error on non-x86 platforms.
o Make FIPS capable OpenSSL ciphers work in non-FIPS mode.
o Fix SSL_OP_NO_TLSv1_1 clash with SSL_OP_ALL in OpenSSL 1.0.0
- Major changes between OpenSSL 1.0.1 and OpenSSL 1.0.1a:
+ Major changes between OpenSSL 1.0.1 and OpenSSL 1.0.1a [19 Apr 2012]:
o Fix for ASN1 overflow bug CVE-2012-2110
o Workarounds for some servers that hang on long client hellos.
o Fix SEGV in AES code.
- Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1:
+ Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012]:
o TLS/DTLS heartbeat support.
o SCTP support.
@@ -47,17 +53,30 @@
o Preliminary FIPS capability for unvalidated 2.0 FIPS module.
o SRP support.
- Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h:
+ Major changes between OpenSSL 1.0.0j and OpenSSL 1.0.0k [5 Feb 2013]:
+
+ o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
+ o Fix OCSP bad key DoS attack CVE-2013-0166
+
+ Major changes between OpenSSL 1.0.0i and OpenSSL 1.0.0j [10 May 2012]:
+
+ o Fix DTLS record length checking bug CVE-2012-2333
+
+ Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.0i [19 Apr 2012]:
+
+ o Fix for ASN1 overflow bug CVE-2012-2110
Home |
Main Index |
Thread Index |
Old Index