X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=51e7b08ce2b736e6390969f32ff21a280077678a;hp=66e653e58ddd779ea553a98c5026e4b2683ded98;hb=5dc312215fa54b70cc8b4baec933bcc19525bc03;hpb=19ab579060aa261bb1f7ed3dcd102471dfd556ee

diff --git a/CHANGES b/CHANGES
index 66e653e58d..51e7b08ce2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,14 +4,33 @@
 
  Changes between 1.0.2f and 1.1.0  [xx XXX xxxx]
 
+  *) Deprecate SRP_VBASE_get_by_user.
+     SRP_VBASE_get_by_user had inconsistent memory management behaviour.
+     In order to fix an unavoidable memory leak (CVE-2016-0798),
+     SRP_VBASE_get_by_user was changed to ignore the "fake user" SRP
+     seed, even if the seed is configured.
+
+     Users should use SRP_VBASE_get1_by_user instead. Note that in
+     SRP_VBASE_get1_by_user, caller must free the returned value. Note
+     also that even though configuring the SRP seed attempts to hide
+     invalid usernames by continuing the handshake with fake
+     credentials, this behaviour is not constant time and no strong
+     guarantees are made that the handshake is indistinguishable from
+     that of a valid user.
+     [Emilia KÃ¤sper]
+
   *) Configuration change; it's now possible to build dynamic engines
-     without having to build shared libraries and vice versa.  The
-     only requirement for building dynamic engines is the presence of
-     the DSO module, so configuring "disable-dso" will automatically
-     disable dynamic engines.  Dynamic engines are enabled by default,
-     and can be disabled with "disable-dynamic-engine".
-     This only applies to the engines in engines/, those in
-     crypto/engine/ will always be built into libcrypto (i.e. "static").
+     without having to build shared libraries and vice versa.  This
+     only applies to the engines in engines/, those in crypto/engine/
+     will always be built into libcrypto (i.e. "static").
+
+     Building dynamic engines is enabled by default; to disable, use
+     the configuration option "disable-dynamic-engine".
+
+     The only requirements for building dynamic engines are the
+     presence of the DSO module and building with position independent
+     code, so they will also automatically be disabled if configuring
+     with "disable-dso" or "disable-pic".
 
      The macros OPENSSL_NO_STATIC_ENGINE and OPENSSL_NO_DYNAMIC_ENGINE
      are also taken away from openssl/opensslconf.h, as they are
@@ -24,6 +43,10 @@
      object files.  This means other libraries that use routines from
      libcrypto / libssl can be made into shared libraries regardless
      of how OpenSSL was configured.
+
+     If this isn't desirable, the configuration options "disable-pic"
+     or "no-pic" can be used to disable the use of PIC.  This will
+     also disable building shared libraries and dynamic engines.
      [Richard Levitte]
 
   *) Removed JPAKE code.  It was experimental and has no wide use.