X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=6cea57be1d7b829d0130a32da3e4a6ca56197eb9;hp=03f9d02abe2f1d24d3e5a7d1ba7c23d78034d522;hb=2b49dd1e8f62a5609e9ed7071b3e1d768f347323;hpb=d918f85146ca8e01d721518aac7575976aebdfd1

diff --git a/CHANGES b/CHANGES
index 03f9d02abe..6cea57be1d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -11,6 +11,27 @@
          *) applies to 0.9.6a (/0.9.6b) and 0.9.7
          +) applies to 0.9.7 only
 
+  *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
+     RSA encryption was accidentily removed in s3_srvr.c in OpenSSL 0.9.5
+     when fixing the server behaviour for backwards-compatible 'client
+     hello' messages.  (Note that the attack is impractical against
+     SSL 3.0 and TLS 1.0 anyway because length and version checking
+     means that the probability of guessing a valid ciphertext is
+     around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
+     paper.)
+
+     Before 0.9.5, the countermeasure (hide the error by generating a
+     random 'decryption result') did not work properly because
+     ERR_clear_error() was missing, meaning that SSL_get_error() would
+     detect the supposedly ignored error.
+
+     Both problems are now fixed.
+     [Bodo Moeller]
+
+  *) In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096
+     (previously it was 1024).
+     [Bodo Moeller]
+
   +) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also
      tidy up some unecessarily weird code in 'sk_new()').
      [Geoff, reported by Diego Tartara <dtartara@novamens.com>]