X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=NEWS;h=c8159993e9e8545baa56e0237d4234770fad4367;hp=6c85116fc87d29b652bca301a65ee5ba24c3c0e6;hb=8bf7d77f33263c81b8e293347edc9a6e43f24d0e;hpb=5dd94f1847c744929a3bd24819f1c99644bb18c7 diff --git a/NEWS b/NEWS index 6c85116fc8..c8159993e9 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,74 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.2r and OpenSSL 1.0.2t [under development] + + o Fixed a padding oracle in PKCS7_decrypt() and CMS_decrypt() + (CVE-2019-1563) + o For built-in EC curves, ensure an EC_GROUP built from the curve name is + used even when parsing explicit parameters + o Compute ECC cofactors if not provided during EC_GROUP construction + (CVE-2019-1547) + o Document issue with installation paths in diverse Windows builds + (CVE-2019-1552) + + Major changes between OpenSSL 1.0.2q and OpenSSL 1.0.2r [26 Feb 2019] + + o 0-byte record padding oracle (CVE-2019-1559) + + Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [20 Nov 2018] + + o Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407) + o Timing vulnerability in DSA signature generation (CVE-2018-0734) + + Major changes between OpenSSL 1.0.2o and OpenSSL 1.0.2p [14 Aug 2018] + + o Client DoS due to large DH parameter (CVE-2018-0732) + o Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) + + Major changes between OpenSSL 1.0.2n and OpenSSL 1.0.2o [27 Mar 2018] + + o Constructed ASN.1 types with a recursive definition could exceed the + stack (CVE-2018-0739) + + Major changes between OpenSSL 1.0.2m and OpenSSL 1.0.2n [7 Dec 2017] + + o Read/write after SSL object in error state (CVE-2017-3737) + o rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738) + + Major changes between OpenSSL 1.0.2l and OpenSSL 1.0.2m [2 Nov 2017] + + o bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736) + o Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735) + + Major changes between OpenSSL 1.0.2k and OpenSSL 1.0.2l [25 May 2017] + + o config now recognises 64-bit mingw and chooses mingw64 instead of mingw + + Major changes between OpenSSL 1.0.2j and OpenSSL 1.0.2k [26 Jan 2017] + + o Truncated packet could crash via OOB read (CVE-2017-3731) + o BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732) + o Montgomery multiplication may produce incorrect results (CVE-2016-7055) + + Major changes between OpenSSL 1.0.2i and OpenSSL 1.0.2j [26 Sep 2016] + + o Missing CRL sanity check (CVE-2016-7052) + + Major changes between OpenSSL 1.0.2h and OpenSSL 1.0.2i [22 Sep 2016] + + o OCSP Status Request extension unbounded memory growth (CVE-2016-6304) + o SWEET32 Mitigation (CVE-2016-2183) + o OOB write in MDC2_Update() (CVE-2016-6303) + o Malformed SHA512 ticket DoS (CVE-2016-6302) + o OOB write in BN_bn2dec() (CVE-2016-2182) + o OOB read in TS_OBJ_print_bio() (CVE-2016-2180) + o Pointer arithmetic undefined behaviour (CVE-2016-2177) + o Constant time flag not preserved in DSA signing (CVE-2016-2178) + o DTLS buffered message DoS (CVE-2016-2179) + o DTLS replay protection DoS (CVE-2016-2181) + o Certificate message OOB reads (CVE-2016-6306) + Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016] o Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107)