update NEWS and CHANGES

author Dr. Stephen Henson <steve@openssl.org>

Mon, 4 Feb 2013 23:18:46 +0000 (23:18 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Tue, 5 Feb 2013 16:50:36 +0000 (16:50 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Mon, 4 Feb 2013 23:18:46 +0000 (23:18 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Tue, 5 Feb 2013 16:50:36 +0000 (16:50 +0000)
diff --git a/CHANGES b/CHANGES

index 8adac3b6d415b380497c39c7ccdbfbbda06d183f..06f5540d4b28db2d91f10f901f73d35936a49250 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,19 @@
  
   Changes between 0.9.8x and 0.9.8y [xx XXX xxxx]
  
+  *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
+
+     This addresses the flaw in CBC record processing discovered by 
+     Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
+     at: http://www.isg.rhul.ac.uk/tls/     
+
+     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+     Security Group at Royal Holloway, University of London
+     (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
+     Emilia Käsper for the initial patch.
+     (CVE-2013-0169)
+     [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
+
    *) Return an error when checking OCSP signatures when key is NULL.
       This fixes a DoS attack. (CVE-2013-0166)
       [Steve Henson]
diff --git a/NEWS b/NEWS

index 3217472c19a5b49bbb1ca58e330286a065a24ebb..0de954cf4e768d854480e9ec5bf0e4d264205d6e 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,7 @@
  
    Major changes between OpenSSL 0.9.8x and OpenSSL 0.9.8y:
  
+      o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
        o Fix OCSP bad key DoS attack CVE-2013-0166
  
    Major changes between OpenSSL 0.9.8w and OpenSSL 0.9.8x:
author	Dr. Stephen Henson <steve@openssl.org>
	Mon, 4 Feb 2013 23:18:46 +0000 (23:18 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Tue, 5 Feb 2013 16:50:36 +0000 (16:50 +0000)