Remove all root CA files (beyond test CAs including private key)

[openssl.git] / CHANGES

diff --git a/CHANGES b/CHANGES
index 2f26937ebddace2ef1beebd69ea1d4b1373ec9bd..e14c405abb1747dea28df373c0f5a0513f385fce 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -685,6 +685,22 @@
      [NTT]
 
  Changes between 0.9.8g and 0.9.8h  [xx XXX xxxx]
+
+  *) Remove root CA certificates of commercial CAs:
+
+     The OpenSSL project does not recommend any specific CA and does not
+     have any policy with respect to including or excluding any CA.
+     Therefore it does not make any sense to ship an arbitrary selection
+     of root CA certificates with the OpenSSL software.
+     [Lutz Jaenicke]
+
+  *) RSA OAEP patches to fix two separate invalid memory reads.
+     The first one involves inputs when 'lzero' is greater than
+     'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes
+     before the beginning of from). The second one involves inputs where
+     the 'db' section contains nothing but zeroes (there is a one-byte
+     invalid read after the end of 'db').
+     [Ivan Nestlerode <inestlerode@us.ibm.com>]
   
   *) Add TLS session ticket callback. This allows an application to set
      TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed