OpenSSL CHANGES
_______________
- Changes between 1.0.1k and 1.0.2 [xx XXX xxxx]
+ Changes between 1.0.2 and 1.0.2a [xx XXX xxxx]
+
+ *)
+
+ Changes between 1.0.1l and 1.0.2 [22 Jan 2015]
*) SRTP Memory Leak.
X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and
X509_CINF_get_signature were reverted post internal team review.
- Changes between 1.0.1j and 1.0.1k [xx XXX xxxx]
+ Changes between 1.0.1k and 1.0.1l [15 Jan 2015]
+
+ *) Build fixes for the Windows and OpenVMS platforms
+ [Matt Caswell and Richard Levitte]
+
+ Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
*) Abort handshake if server key exchange message is omitted for ephemeral
ECDH ciphersuites.
- Thanks to Karthikeyan Bhargavan for reporting this issue.
+ Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
+ reporting this issue.
(CVE-2014-3572)
[Steve Henson]
+ *) Remove non-export ephemeral RSA code on client and server. This code
+ violated the TLS standard by allowing the use of temporary RSA keys in
+ non-export ciphersuites and could be used by a server to effectively
+ downgrade the RSA key length used to a value smaller than the server
+ certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
+ INRIA or reporting this issue.
+ (CVE-2015-0204)
+ [Steve Henson]
+
*) Ensure that the session ID context of an SSL is updated when its
SSL_CTX is updated via SSL_set_SSL_CTX.