X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=NEWS;h=e70fcba0928b9555f4d07dd393b868d02a7fa612;hp=f0282ebb87558f8b6f08ca1d6b74c4323f08b0e9;hb=ce33b42bc65a32e21c5553a7b7fa774420c0e0e1;hpb=299024498004473a58e780cdf8ec83e85a04f807 diff --git a/NEWS b/NEWS index f0282ebb87..e70fcba092 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,366 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.1 and OpenSSL 1.0.1a: + + o Fix for ASN1 overflow bug CVE-2012-2110 + o Workarounds for some servers that hang on long client hellos. + o Fix SEGV in AES code. + + Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1: + + o TLS/DTLS heartbeat support. + o SCTP support. + o RFC 5705 TLS key material exporter. + o RFC 5764 DTLS-SRTP negotiation. + o Next Protocol Negotiation. + o PSS signatures in certificates, requests and CRLs. + o Support for password based recipient info for CMS. + o Support TLS v1.2 and TLS v1.1. + o Preliminary FIPS capability for unvalidated 2.0 FIPS module. + o SRP support. + + Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.0i: + + o Fix for ASN1 overflow bug CVE-2012-2110 + + Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h: + + o Fix for CMS/PKCS#7 MMA CVE-2012-0884 + o Corrected fix for CVE-2011-4619 + o Various DTLS fixes. + + Major changes between OpenSSL 1.0.0f and OpenSSL 1.0.0g: + + o Fix for DTLS DoS issue CVE-2012-0050 + + Major changes between OpenSSL 1.0.0e and OpenSSL 1.0.0f: + + o Fix for DTLS plaintext recovery attack CVE-2011-4108 + o Clear block padding bytes of SSL 3.0 records CVE-2011-4576 + o Only allow one SGC handshake restart for SSL/TLS CVE-2011-4619 + o Check parameters are not NULL in GOST ENGINE CVE-2012-0027 + o Check for malformed RFC3779 data CVE-2011-4577 + + Major changes between OpenSSL 1.0.0d and OpenSSL 1.0.0e: + + o Fix for CRL vulnerability issue CVE-2011-3207 + o Fix for ECDH crashes CVE-2011-3210 + o Protection against EC timing attacks. + o Support ECDH ciphersuites for certificates using SHA2 algorithms. + o Various DTLS fixes. + + Major changes between OpenSSL 1.0.0c and OpenSSL 1.0.0d: + + o Fix for security issue CVE-2011-0014 + + Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c: + + o Fix for security issue CVE-2010-4180 + o Fix for CVE-2010-4252 + o Fix mishandling of absent EC point format extension. + o Fix various platform compilation issues. + o Corrected fix for security issue CVE-2010-3864. + + Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b: + + o Fix for security issue CVE-2010-3864. + o Fix for CVE-2010-2939 + o Fix WIN32 build system for GOST ENGINE. + + Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a: + + o Fix for security issue CVE-2010-1633. + o GOST MAC and CFB fixes. + + Major changes between OpenSSL 0.9.8n and OpenSSL 1.0.0: + + o RFC3280 path validation: sufficient to process PKITS tests. + o Integrated support for PVK files and keyblobs. + o Change default private key format to PKCS#8. + o CMS support: able to process all examples in RFC4134 + o Streaming ASN1 encode support for PKCS#7 and CMS. + o Multiple signer and signer add support for PKCS#7 and CMS. + o ASN1 printing support. + o Whirlpool hash algorithm added. + o RFC3161 time stamp support. + o New generalised public key API supporting ENGINE based algorithms. + o New generalised public key API utilities. + o New ENGINE supporting GOST algorithms. + o SSL/TLS GOST ciphersuite support. + o PKCS#7 and CMS GOST support. + o RFC4279 PSK ciphersuite support. + o Supported points format extension for ECC ciphersuites. + o ecdsa-with-SHA224/256/384/512 signature types. + o dsa-with-SHA224 and dsa-with-SHA256 signature types. + o Opaque PRF Input TLS extension support. + o Updated time routines to avoid OS limitations. + + Major changes between OpenSSL 0.9.8v and OpenSSL 0.9.8w: + + o Fix for CVE-2012-2131 (corrected fix for 0.9.8 and CVE-2012-2110) + + Major changes between OpenSSL 0.9.8u and OpenSSL 0.9.8v: + + o Fix for ASN1 overflow bug CVE-2012-2110 + + Major changes between OpenSSL 0.9.8t and OpenSSL 0.9.8u: + + o Fix for CMS/PKCS#7 MMA CVE-2012-0884 + o Corrected fix for CVE-2011-4619 + o Various DTLS fixes. + + Major changes between OpenSSL 0.9.8s and OpenSSL 0.9.8t: + + o Fix for DTLS DoS issue CVE-2012-0050 + + Major changes between OpenSSL 0.9.8r and OpenSSL 0.9.8s: + + o Fix for DTLS plaintext recovery attack CVE-2011-4108 + o Fix policy check double free error CVE-2011-4109 + o Clear block padding bytes of SSL 3.0 records CVE-2011-4576 + o Only allow one SGC handshake restart for SSL/TLS CVE-2011-4619 + o Check for malformed RFC3779 data CVE-2011-4577 + + Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r: + + o Fix for security issue CVE-2011-0014 + + Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q: + + o Fix for security issue CVE-2010-4180 + o Fix for CVE-2010-4252 + + Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p: + + o Fix for security issue CVE-2010-3864. + + Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o: + + o Fix for security issue CVE-2010-0742. + o Various DTLS fixes. + o Recognise SHA2 certificates if only SSL algorithms added. + o Fix for no-rc4 compilation. + o Chil ENGINE unload workaround. + + Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n: + + o CFB cipher definition fixes. + o Fix security issues CVE-2010-0740 and CVE-2010-0433. + + Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m: + + o Cipher definition fixes. + o Workaround for slow RAND_poll() on some WIN32 versions. + o Remove MD2 from algorithm tables. + o SPKAC handling fixes. + o Support for RFC5746 TLS renegotiation extension. + o Compression memory leak fixed. + o Compression session resumption fixed. + o Ticket and SNI coexistence fixes. + o Many fixes to DTLS handling. + + Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l: + + o Temporary work around for CVE-2009-3555: disable renegotiation. + + Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k: + + o Fix various build issues. + o Fix security issues (CVE-2009-0590, CVE-2009-0591, CVE-2009-0789) + + Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j: + + o Fix security issue (CVE-2008-5077) + o Merge FIPS 140-2 branch code. + + Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h: + + o CryptoAPI ENGINE support. + o Various precautionary measures. + o Fix for bugs affecting certificate request creation. + o Support for local machine keyset attribute in PKCS#12 files. + + Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g: + + o Backport of CMS functionality to 0.9.8. + o Fixes for bugs introduced with 0.9.8f. + + Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f: + + o Add gcc 4.2 support. + o Add support for AES and SSE2 assembly lanugauge optimization + for VC++ build. + o Support for RFC4507bis and server name extensions if explicitly + selected at compile time. + o DTLS improvements. + o RFC4507bis support. + o TLS Extensions support. + + Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e: + + o Various ciphersuite selection fixes. + o RFC3779 support. + + Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d: + + o Introduce limits to prevent malicious key DoS (CVE-2006-2940) + o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343) + o Changes to ciphersuite selection algorithm + + Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c: + + o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339 + o New cipher Camellia + + Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b: + + o Cipher string fixes. + o Fixes for VC++ 2005. + o Updated ECC cipher suite support. + o New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free(). + o Zlib compression usage fixes. + o Built in dynamic engine compilation support on Win32. + o Fixes auto dynamic engine loading in Win32. + + Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a: + + o Fix potential SSL 2.0 rollback, CVE-2005-2969 + o Extended Windows CE support + + Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8: + + o Major work on the BIGNUM library for higher efficiency and to + make operations more streamlined and less contradictory. This + is the result of a major audit of the BIGNUM library. + o Addition of BIGNUM functions for fields GF(2^m) and NIST + curves, to support the Elliptic Crypto functions. + o Major work on Elliptic Crypto; ECDH and ECDSA added, including + the use through EVP, X509 and ENGINE. + o New ASN.1 mini-compiler that's usable through the OpenSSL + configuration file. + o Added support for ASN.1 indefinite length constructed encoding. + o New PKCS#12 'medium level' API to manipulate PKCS#12 files. + o Complete rework of shared library construction and linking + programs with shared or static libraries, through a separate + Makefile.shared. + o Rework of the passing of parameters from one Makefile to another. + o Changed ENGINE framework to load dynamic engine modules + automatically from specifically given directories. + o New structure and ASN.1 functions for CertificatePair. + o Changed the ZLIB compression method to be stateful. + o Changed the key-generation and primality testing "progress" + mechanism to take a structure that contains the ticker + function and an argument. + o New engine module: GMP (performs private key exponentiation). + o New engine module: VIA PadLOck ACE extension in VIA C3 + Nehemiah processors. + o Added support for IPv6 addresses in certificate extensions. + See RFC 1884, section 2.2. + o Added support for certificate policy mappings, policy + constraints and name constraints. + o Added support for multi-valued AVAs in the OpenSSL + configuration file. + o Added support for multiple certificates with the same subject + in the 'openssl ca' index file. + o Make it possible to create self-signed certificates using + 'openssl ca -selfsign'. + o Make it possible to generate a serial number file with + 'openssl ca -create_serial'. + o New binary search functions with extended functionality. + o New BUF functions. + o New STORE structure and library to provide an interface to all + sorts of data repositories. Supports storage of public and + private keys, certificates, CRLs, numbers and arbitrary blobs. + This library is unfortunately unfinished and unused withing + OpenSSL. + o New control functions for the error stack. + o Changed the PKCS#7 library to support one-pass S/MIME + processing. + o Added the possibility to compile without old deprecated + functionality with the OPENSSL_NO_DEPRECATED macro or the + 'no-deprecated' argument to the config and Configure scripts. + o Constification of all ASN.1 conversion functions, and other + affected functions. + o Improved platform support for PowerPC. + o New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512). + o New X509_VERIFY_PARAM structure to support parametrisation + of X.509 path validation. + o Major overhaul of RC4 performance on Intel P4, IA-64 and + AMD64. + o Changed the Configure script to have some algorithms disabled + by default. Those can be explicitely enabled with the new + argument form 'enable-xxx'. + o Change the default digest in 'openssl' commands from MD5 to + SHA-1. + o Added support for DTLS. + o New BIGNUM blinding. + o Added support for the RSA-PSS encryption scheme + o Added support for the RSA X.931 padding. + o Added support for BSD sockets on NetWare. + o Added support for files larger than 2GB. + o Added initial support for Win64. + o Added alternate pkg-config files. + + Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m: + + o FIPS 1.1.1 module linking. + o Various ciphersuite selection fixes. + + Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l: + + o Introduce limits to prevent malicious key DoS (CVE-2006-2940) + o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343) + + Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k: + + o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339 + + Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j: + + o Visual C++ 2005 fixes. + o Update Windows build system for FIPS. + + Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i: + + o Give EVP_MAX_MD_SIZE it's old value, except for a FIPS build. + + Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h: + + o Fix SSL 2.0 Rollback, CVE-2005-2969 + o Allow use of fixed-length exponent on DSA signing + o Default fixed-window RSA, DSA, DH private-key operations + + Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g: + + o More compilation issues fixed. + o Adaptation to more modern Kerberos API. + o Enhanced or corrected configuration for Solaris64, Mingw and Cygwin. + o Enhanced x86_64 assembler BIGNUM module. + o More constification. + o Added processing of proxy certificates (RFC 3820). + + Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f: + + o Several compilation issues fixed. + o Many memory allocation failure checks added. + o Improved comparison of X509 Name type. + o Mandatory basic checks on certificates. + o Performance improvements. + + Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e: + + o Fix race condition in CRL checking code. + o Fixes to PKCS#7 (S/MIME) code. + + Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d: + + o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug + o Security: Fix null-pointer assignment in do_change_cipher_spec() + o Allow multiple active certificates with same subject in CA index + o Multiple X509 verification fixes + o Speed up HMAC and other operations + Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c: o Security: fix various ASN1 parsing bugs.