Updates to CHANGES and NEWS for the new release.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6949)

diff --git a/CHANGES b/CHANGES
index 8c67dab6996740eab325e48f315932d9e81da620..8d07a23709d2170531f7796132edb0a8d74249cd 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -465,6 +465,62 @@
 
  Changes between 1.1.0h and 1.1.0i [xx XXX xxxx]
 
 
  Changes between 1.1.0h and 1.1.0i [xx XXX xxxx]
 

+  *) Client DoS due to large DH parameter
+
+     During key agreement in a TLS handshake using a DH(E) based ciphersuite a
+     malicious server can send a very large prime value to the client. This will
+     cause the client to spend an unreasonably long period of time generating a
+     key for this prime resulting in a hang until the client has finished. This
+     could be exploited in a Denial Of Service attack.
+
+     This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
+     (CVE-2018-0732)
+     [Guido Vranken]
+
+  *) Cache timing vulnerability in RSA Key Generation
+
+     The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
+     a cache timing side channel attack. An attacker with sufficient access to
+     mount cache timing attacks during the RSA key generation process could
+     recover the private key.
+
+     This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
+     Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
+     (CVE-2018-0737)
+     [Billy Brumley]
+
+  *) Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
+     parameter is no longer accepted, as it leads to a corrupt table.  NULL
+     pem_str is reserved for alias entries only.
+     [Richard Levitte]
+
+  *) Revert blinding in ECDSA sign and instead make problematic addition
+     length-invariant. Switch even to fixed-length Montgomery multiplication.
+     [Andy Polyakov]
+
+  *) Change generating and checking of primes so that the error rate of not
+     being prime depends on the intended use based on the size of the input.
+     For larger primes this will result in more rounds of Miller-Rabin.
+     The maximal error rate for primes with more than 1080 bits is lowered
+     to 2^-128.
+     [Kurt Roeckx, Annie Yousar]
+
+  *) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
+     [Kurt Roeckx]
+
+  *) Add blinding to ECDSA and DSA signatures to protect against side channel
+     attacks discovered by Keegan Ryan (NCC Group).
+     [Matt Caswell]
+
+  *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
+     now allow empty (zero character) pass phrases.
+     [Richard Levitte]
+
+  *) Certificate time validation (X509_cmp_time) enforces stricter
+     compliance with RFC 5280. Fractional seconds and timezone offsets
+     are no longer allowed.
+     [Emilia Käsper]
+

   *) Fixed a text canonicalisation bug in CMS
 
      Where a CMS detached signature is used with text content the text goes
   *) Fixed a text canonicalisation bug in CMS
 
      Where a CMS detached signature is used with text content the text goes

diff --git a/NEWS b/NEWS
index 60c841f36f7008d8702be813a7104ed017011082..1f98b931a87617726c423cd7125b8190054c167b 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,11 @@
       o Add support for SipHash
       o Grand redesign of the OpenSSL random generator
 
       o Add support for SipHash
       o Grand redesign of the OpenSSL random generator
 

+  Major changes between OpenSSL 1.1.0h and OpenSSL 1.1.0i [under development]
+
+      o Client DoS due to large DH parameter (CVE-2018-0732)
+      o Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)
+

   Major changes between OpenSSL 1.1.0g and OpenSSL 1.1.0h [under development]
 
       o Constructed ASN.1 types with a recursive definition could exceed the
   Major changes between OpenSSL 1.1.0g and OpenSSL 1.1.0h [under development]
 
       o Constructed ASN.1 types with a recursive definition could exceed the