Update CHANGES.

[openssl.git] / CHANGES

diff --git a/CHANGES b/CHANGES
index df5967cf72af3a99a183df9a6d45d6fa30376f63..d927265fe1142434651d22bb7039bc9d55810a50 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,7 +2,10 @@
  OpenSSL CHANGES
  _______________
 
- Changes between 0.9.8j and 0.9.9  [xx XXX xxxx]
+ Changes between 0.9.8k and 0.9.9  [xx XXX xxxx]
+
+  *) Update Gost ENGINE to support parameter files.
+     [Victor B. Wagner <vitus@cryptocom.ru>]
 
   *) Support GeneralizedTime in ca utility. 
      [Oliver Martin <oliver@volatilevoid.net>, Steve Henson]
@@ -746,7 +749,22 @@
   *) Change 'Configure' script to enable Camellia by default.
      [NTT]
 
- Changes between 0.9.8j and 0.9.8k  [xx XXX xxxx]
+ Changes between 0.9.8j and 0.9.8k  [25 Mar 2009]
+
+  *) Don't set val to NULL when freeing up structures, it is freed up by
+     underlying code. If sizeof(void *) > sizeof(long) this can result in
+     zeroing past the valid field. (CVE-2009-0789)
+     [Paolo Ganci <Paolo.Ganci@AdNovum.CH>]
+
+  *) Fix bug where return value of CMS_SignerInfo_verify_content() was not
+     checked correctly. This would allow some invalid signed attributes to
+     appear to verify correctly. (CVE-2009-0591)
+     [Ivan Nestlerode <inestlerode@us.ibm.com>]
+
+  *) Reject UniversalString and BMPString types with invalid lengths. This
+     prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
+     a legal length. (CVE-2009-0590)
+     [Steve Henson]
 
   *) Set S/MIME signing as the default purpose rather than setting it 
      unconditionally. This allows applications to override it at the store