From: Bodo Möller <bodo@openssl.org>
Date: Thu, 28 Sep 2006 13:29:08 +0000 (+0000)
Subject: for completeness, include 0.9.7l information
X-Git-Tag: OpenSSL_0_9_8e~76
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=bd869183d5f914fc925889a5927b69d7e7a09ac5;p=openssl

for completeness, include 0.9.7l information
---

diff --git a/CHANGES b/CHANGES
index 099b6cc9bc..1ce47e3ccd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1008,7 +1008,21 @@
      differing sizes.
      [Richard Levitte]
 
- Changes between 0.9.7k and 0.9.7l  [xx XXX xxxx]
+ Changes between 0.9.7k and 0.9.7l  [28 Sep 2006]
+
+  *) Introduce limits to prevent malicious keys being able to
+     cause a denial of service.  (CVE-2006-2940)
+     [Steve Henson, Bodo Moeller]
+
+  *) Fix ASN.1 parsing of certain invalid structures that can result
+     in a denial of service.  (CVE-2006-2937)  [Steve Henson]
+
+  *) Fix buffer overflow in SSL_get_shared_ciphers() function. 
+     (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]
+
+  *) Fix SSL client code which could crash if connecting to a
+     malicious SSLv2 server.  (CVE-2006-4343)
+     [Tavis Ormandy and Will Drewry, Google Security Team]
 
   *) Change ciphersuite string processing so that an explicit
      ciphersuite selects this one ciphersuite (so that "AES256-SHA"
diff --git a/NEWS b/NEWS
index ad8033a81b..d8d93ce9a9 100644
--- a/NEWS
+++ b/NEWS
@@ -105,6 +105,11 @@
       o Added initial support for Win64.
       o Added alternate pkg-config files.
 
+  Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l:
+
+      o Introduce limits to prevent malicious key DoS  (CVE-2006-2940)
+      o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343)
+
   Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k:
 
       o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339