Fix excert logic.

[openssl.git] / CHANGES

diff --git a/CHANGES b/CHANGES
index 5fa9cba9744daa654db3d2690552022f1bcb9f35..caee934085c61982fa53892bf3179c31313f3a48 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -43,6 +43,13 @@
      (CVE-2014-3566)
      [Adam Langley, Bodo Moeller]
 
+   *) Tighten client-side session ticket handling during renegotiation:
+      ensure that the client only accepts a session ticket if the server sends
+      the extension anew in the ServerHello. Previously, a TLS client would
+      reuse the old extension state and thus accept a session ticket if one was
+      announced in the initial ServerHello.
+      [Emilia Käsper]
+
   *) Accelerated NIST P-256 elliptic curve implementation for x86_64
      (other platforms pending).
      [Shay Gueron & Vlad Krasnov (Intel Corp), Andy Polyakov]
@@ -363,6 +370,15 @@
      X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and
      X509_CINF_get_signature were reverted post internal team review.
 
+ Changes between 1.0.1j and 1.0.1k [xx XXX xxxx]
+
+   *) Tighten client-side session ticket handling during renegotiation:
+      ensure that the client only accepts a session ticket if the server sends
+      the extension anew in the ServerHello. Previously, a TLS client would
+      reuse the old extension state and thus accept a session ticket if one was
+      announced in the initial ServerHello.
+      [Emilia Käsper]
+
  Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
 
   *) SRTP Memory Leak.