Some precautions to avoid potential security-relevant problems.

[openssl.git] / CHANGES

diff --git a/CHANGES b/CHANGES
index 6e1bf9c0a4a220410e977e93a989bc8494f4449b..b9a6d8364117636c95958d77b0794ab84647bc1c 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,12 @@
 
  Changes between 0.9.8i and 0.9.9  [xx XXX xxxx]
 
+  *) Delta CRL support. New use deltas option which will attempt to locate
+     and search any appropriate delta CRLs available.
+
+     This work was sponsored by Google.
+     [Steve Henson]
+
   *) Support for CRLs partitioned by reason code. Reorganise CRL processing
      code and add additional score elements. Validate alternate CRL paths
      as part of the CRL checking and indicate a new error "CRL path validation
@@ -699,6 +705,22 @@
 
  Changes between 0.9.8h and 0.9.8i  [xx XXX xxxx]
 
+  *) Various precautionary measures:
+
+     - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
+
+     - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
+       (NB: This would require knowledge of the secret session ticket key
+       to exploit, in which case you'd be SOL either way.)
+
+     - Change bn_nist.c so that it will properly handle input BIGNUMs
+       outside the expected range.
+
+     - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
+       builds.
+
+     [Neel Mehta, Bodo Moeller]
+
   *) Add support for Local Machine Keyset attribute in PKCS#12 files.
      [Steve Henson]