Fix bug in CVE-2011-4619: check we have really received a client hello

[openssl.git] / CHANGES

diff --git a/CHANGES b/CHANGES
index 30f69fe4688f51edb70f43069c5b55257efc43c3..59de4639fa699ea1d8478746045e4425a1cbf301 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,9 +2,20 @@
  OpenSSL CHANGES
  _______________
 
- Changes between 0.9.8s and 0.9.8t [xx XXX xxxx]
+ Changes between 0.9.8t and 0.9.8u [xx XXX xxxx]
 
-  *)
+  *) Fix CVE-2011-4619: make sure we really are receiving a 
+     client hello before rejecting multiple SGC restarts. Thanks to
+     Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
+     [Steve Henson]
+
+ Changes between 0.9.8s and 0.9.8t [18 Jan 2012]
+
+  *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
+     Thanks to Antonio Martin, Enterprise Secure Access Research and
+     Development, Cisco Systems, Inc. for discovering this bug and
+     preparing a fix. (CVE-2012-0050)
+     [Antonio Martin]
 
  Changes between 0.9.8r and 0.9.8s [4 Jan 2012]
 
@@ -29,7 +40,9 @@
      (CVE-2011-4576)
      [Adam Langley (Google)]
 
-  *) Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619)
+  *) Only allow one SGC handshake restart for SSL/TLS. Thanks to George
+     Kadianakis <desnacked@gmail.com> for discovering this issue and
+     Adam Langley for preparing the fix. (CVE-2011-4619)
      [Adam Langley (Google)]
  
   *) Prevent malformed RFC3779 data triggering an assertion failure.