X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=f2a467bb248c59ed5ba4bd8b7bc8c6fb6817176a;hp=d3d56373668b44b3f1cb678585a130f61c32ea7b;hb=11f3cee93b667bc567262386fe84006afb6e6872;hpb=f434730524aa3846f70ace812edd568347eab13d

diff --git a/CHANGES b/CHANGES
index d3d5637366..f2a467bb24 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,22 @@
 
  Changes between 0.9.8g and 0.9.9  [xx XXX xxxx]
 
+  *) Removed effectively defunct crypto/store from the build.
+     [Ben Laurie]
+
+  *) Revamp of STACK to provide stronger type-checking. Still to come:
+     TXT_DB, bsearch(?), OBJ_bsearch, qsort, CRYPTO_EX_DATA, ASN1_VALUE,
+     ASN1_STRING, CONF_VALUE.
+     [Ben Laurie]
+
+  *) Add a new SSL_MODE_RELEASE_BUFFERS mode flag to release unused buffer
+     RAM on SSL connections.  This option can save about 34k per idle SSL.
+     [Nick Mathewson]
+
+  *) Revamp of LHASH to provide stronger type-checking. Still to come:
+     STACK, TXT_DB, bsearch, qsort.
+     [Ben Laurie]
+
   *) Not all of this is true any longer.
      Will have to be updated to reflect all subsequent changes to cryptlib.c.
                                                                        --bodo
@@ -684,7 +700,39 @@
   *) Change 'Configure' script to enable Camellia by default.
      [NTT]
 
- Changes between 0.9.8g and 0.9.8h  [xx XXX xxxx]
+ Changes between 0.9.8h and 0.9.8i  [xx XXX xxxx]
+
+  *) Expand ENGINE to support engine supplied SSL client certificate functions.
+     [Steve Henson]
+
+  *) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows         keystores. Support for SSL/TLS client authentication too.
+     Not compiled unless enable-capieng specified to Configure.
+     [Steve Henson]
+
+ Changes between 0.9.8g and 0.9.8h  [28 May 2008]
+
+  *) Fix flaw if 'Server Key exchange message' is omitted from a TLS
+     handshake which could lead to a cilent crash as found using the
+     Codenomicon TLS test suite (CVE-2008-1672) 
+     [Steve Henson, Mark Cox]
+
+  *) Fix double free in TLS server name extensions which could lead to
+     a remote crash found by Codenomicon TLS test suite (CVE-2008-0891) 
+     [Joe Orton]
+
+  *) Clear error queue in SSL_CTX_use_certificate_chain_file()
+
+     Clear the error queue to ensure that error entries left from
+     older function calls do not interfere with the correct operation.
+     [Lutz Jaenicke, Erik de Castro Lopo]
+
+  *) Remove root CA certificates of commercial CAs:
+
+     The OpenSSL project does not recommend any specific CA and does not
+     have any policy with respect to including or excluding any CA.
+     Therefore it does not make any sense to ship an arbitrary selection
+     of root CA certificates with the OpenSSL software.
+     [Lutz Jaenicke]
 
   *) RSA OAEP patches to fix two separate invalid memory reads.
      The first one involves inputs when 'lzero' is greater than
@@ -692,7 +740,7 @@
      before the beginning of from). The second one involves inputs where
      the 'db' section contains nothing but zeroes (there is a one-byte
      invalid read after the end of 'db').
-     [Ivan Nestlerlode <inestlerode@us.ibm.com>]
+     [Ivan Nestlerode <inestlerode@us.ibm.com>]
   
   *) Add TLS session ticket callback. This allows an application to set
      TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed