From: Matt Caswell Date: Thu, 2 Jul 2015 14:38:32 +0000 (+0100) Subject: Update CHANGES and NEWS for the new release X-Git-Tag: OpenSSL_1_1_0-pre1~933 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6f47ced0157059edee2d4c0d94fcf76e08763c5f;p=openssl Update CHANGES and NEWS for the new release Reviewed-by: Stephen Henson --- diff --git a/CHANGES b/CHANGES index 057909ea47..4f0749d370 100644 --- a/CHANGES +++ b/CHANGES @@ -434,7 +434,29 @@ whose return value is often ignored. [Steve Henson] - Changes between 1.0.2a and 1.0.2b [xx XXX xxxx] + Changes between 1.0.2c and 1.0.2d [xx XXX xxxx] + + *) Alternate chains certificate forgery + + During certificate verfification, OpenSSL will attempt to find an + alternative certificate chain if the first attempt to build such a chain + fails. An error in the implementation of this logic can mean that an + attacker could cause certain checks on untrusted certificates to be + bypassed, such as the CA flag, enabling them to use a valid leaf + certificate to act as a CA and "issue" an invalid certificate. + + This issue was reported to OpenSSL by Adam Langley/David Benjamin + (Google/BoringSSL). + [Matt Caswell] + + Changes between 1.0.2b and 1.0.2c [12 Jun 2015] + + *) Fix HMAC ABI incompatibility. The previous version introduced an ABI + incompatibility in the handling of HMAC. The previous ABI has now been + restored. + [Matt Caswell] + + Changes between 1.0.2a and 1.0.2b [11 Jun 2015] *) Malformed ECParameters causes infinite loop diff --git a/NEWS b/NEWS index beb2dd3d86..e51526ea35 100644 --- a/NEWS +++ b/NEWS @@ -5,7 +5,15 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. - Major changes between OpenSSL 1.0.2a and OpenSSL 1.0.2b [under development] + Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [under development] + + o Alternate chains certificate forgery (CVE-2015-1793) + + Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015] + + o Fix HMAC ABI incompatibility + + Major changes between OpenSSL 1.0.2a and OpenSSL 1.0.2b [11 Jun 2015] o Malformed ECParameters causes infinite loop (CVE-2015-1788) o Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)