X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=f5351f857f13c2030a21d0447aa6cee771af9fe6;hp=76a379376401ca85d6728883d4bce16bee578bf2;hb=e9be051f3a248485a1e25f0babff9f642b6ba1a5;hpb=39239280f3576f3418dadbf751bc7a2bb3252d4e

diff --git a/CHANGES b/CHANGES
index 76a3793764..f5351f857f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -161,6 +161,10 @@
 
  Changes between 1.0.0a and 1.0.0b  [xx XXX xxxx]
 
+  *) Fix extension code to avoid race conditions which can result in a buffer
+     overrun vulnerability: resumed sessions must not be modified as they can
+     be shared by multiple threads. CVE-2010-3864
+
   *) Fix WIN32 build system to correctly link an ENGINE directory into
      a DLL. 
      [Steve Henson]
@@ -1014,6 +1018,13 @@
   
  Changes between 0.9.8o and 0.9.8p [xx XXX xxxx]
 
+  *) Fix extension code to avoid race conditions which can result in a buffer
+     overrun vulnerability: resumed sessions must not be modified as they can
+     be shared by multiple threads. CVE-2010-3864
+
+  *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
+     [Steve Henson]
+
   *) Don't reencode certificate when calculating signature: cache and use
      the original encoding instead. This makes signature verification of
      some broken encodings work correctly.