diff options
-rw-r--r-- | CHANGES | 30 | ||||
-rw-r--r-- | FAQ | 2 | ||||
-rw-r--r-- | LICENSE | 2 | ||||
-rw-r--r-- | NEWS | 8 | ||||
-rw-r--r-- | README | 4 | ||||
-rw-r--r-- | STATUS | 8 | ||||
-rw-r--r-- | crypto/opensslv.h | 6 | ||||
-rw-r--r-- | openssl.spec | 4 | ||||
-rw-r--r-- | ssl/t1_lib.c | 8 | ||||
-rw-r--r-- | util/mkerr.pl | 2 |
10 files changed, 60 insertions, 14 deletions
@@ -2,7 +2,10 @@ OpenSSL CHANGES _______________ - Changes between 1.0.0c and 1.0.0d [xx XXX xxxx] + Changes between 1.0.0c and 1.0.0d [8 Feb 2011] + + *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014 + [Neel Mehta, Adam Langley, Bodo Moeller (Google)] *) Fix bug in string printing code: if *any* escaping is enabled we must escape the escape character (backslash) or the resulting string is @@ -879,11 +882,34 @@ *) Change 'Configure' script to enable Camellia by default. [NTT] - Changes between 0.9.8o and 0.9.8p [xx XXX xxxx] + Changes between 0.9.8q and 0.9.8r [8 Feb 2011] + + *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014 + [Neel Mehta, Adam Langley, Bodo Moeller (Google)] + + *) Fix bug in string printing code: if *any* escaping is enabled we must + escape the escape character (backslash) or the resulting string is + ambiguous. + [Steve Henson] + + Changes between 0.9.8p and 0.9.8q [2 Dec 2010] + + *) Disable code workaround for ancient and obsolete Netscape browsers + and servers: an attacker can use it in a ciphersuite downgrade attack. + Thanks to Martin Rex for discovering this bug. CVE-2010-4180 + [Steve Henson] + + *) Fixed J-PAKE implementation error, originally discovered by + Sebastien Martini, further info and confirmation from Stefan + Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252 + [Ben Laurie] + + Changes between 0.9.8o and 0.9.8p [16 Nov 2010] *) Fix extension code to avoid race conditions which can result in a buffer overrun vulnerability: resumed sessions must not be modified as they can be shared by multiple threads. CVE-2010-3864 + [Steve Henson] *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939 [Steve Henson] @@ -82,7 +82,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from <URL: http://www.openssl.org>. -OpenSSL 1.0.0c was released on Dec 2nd, 2010. +OpenSSL 1.0.0d was released on Feb 8th, 2011. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at <URL: @@ -12,7 +12,7 @@ --------------- /* ==================================================================== - * Copyright (c) 1998-2008 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -5,6 +5,10 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.0c and OpenSSL 1.0.0d: + + o Fix for security issue CVE-2011-0014 + Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c: o Fix for security issue CVE-2010-4180 @@ -47,6 +51,10 @@ o Opaque PRF Input TLS extension support. o Updated time routines to avoid OS limitations. + Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r: + + o Fix for security issue CVE-2011-0014 + Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q: o Fix for security issue CVE-2010-4180 @@ -1,7 +1,7 @@ - OpenSSL 1.0.0d-dev + OpenSSL 1.0.0d - Copyright (c) 1998-2010 The OpenSSL Project + Copyright (c) 1998-2011 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. @@ -1,14 +1,20 @@ OpenSSL STATUS Last modified at - ______________ $Date: 2010/12/02 18:29:03 $ + ______________ $Date: 2011/02/08 17:10:52 $ DEVELOPMENT STATE o OpenSSL 1.1.0: Under development... + o OpenSSL 1.0.1: Under development... + o OpenSSL 1.0.0d: Released on February 8nd, 2011 o OpenSSL 1.0.0c: Released on December 2nd, 2010 o OpenSSL 1.0.0b: Released on November 16th, 2010 o OpenSSL 1.0.0a: Released on June 1st, 2010 o OpenSSL 1.0.0: Released on March 29th, 2010 + o OpenSSL 0.9.8r: Released on February 8nd, 2011 + o OpenSSL 0.9.8q: Released on December 2nd, 2010 + o OpenSSL 0.9.8p: Released on November 16th, 2010 + o OpenSSL 0.9.8o: Released on June 1st, 2010 o OpenSSL 0.9.8n: Released on March 24th, 2010 o OpenSSL 0.9.8m: Released on February 25th, 2010 o OpenSSL 0.9.8l: Released on November 5th, 2009 diff --git a/crypto/opensslv.h b/crypto/opensslv.h index e486b8f647..e7fca83454 100644 --- a/crypto/opensslv.h +++ b/crypto/opensslv.h @@ -25,11 +25,11 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x10000040L +#define OPENSSL_VERSION_NUMBER 0x1000004fL #ifdef OPENSSL_FIPS -#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0d-fips-dev xx XXX xxxx" +#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0d-fips 8 Feb 2011" #else -#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0d-dev xx XXX xxxx" +#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0d 8 Feb 2011" #endif #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/openssl.spec b/openssl.spec index 9927150609..bcfb32612d 100644 --- a/openssl.spec +++ b/openssl.spec @@ -9,8 +9,8 @@ Release: 1 Summary: Secure Sockets Layer and cryptography libraries and tools Name: openssl -Version: %{libmaj}.%{libmin}.%{librel} -#Version: %{libmaj}.%{libmin}.%{librel}%{librev} +#Version: %{libmaj}.%{libmin}.%{librel} +Version: %{libmaj}.%{libmin}.%{librel}%{librev} Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz Copyright: Freely distributable Group: System Environment/Libraries diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 5cdd7e572a..85371c87b8 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -917,6 +917,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in } n2s(data, idsize); dsize -= 2 + idsize; + size -= 2 + idsize; if (dsize < 0) { *al = SSL_AD_DECODE_ERROR; @@ -955,9 +956,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in } /* Read in request_extensions */ + if (size < 2) + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } n2s(data,dsize); size -= 2; - if (dsize > size) + if (dsize != size) { *al = SSL_AD_DECODE_ERROR; return 0; diff --git a/util/mkerr.pl b/util/mkerr.pl index 15b774f277..d8ea43a5d9 100644 --- a/util/mkerr.pl +++ b/util/mkerr.pl @@ -391,7 +391,7 @@ foreach $lib (keys %csrc) } else { push @out, "/* ====================================================================\n", -" * Copyright (c) 2001-2010 The OpenSSL Project. All rights reserved.\n", +" * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.\n", " *\n", " * Redistribution and use in source and binary forms, with or without\n", " * modification, are permitted provided that the following conditions\n", |