This repository has been archived by the owner on Nov 20, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 30
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Updating to 1.0.0d with disabled assembly use.
- Loading branch information
Showing
205 changed files
with
3,514 additions
and
1,843 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| The OpenSSL project depends on volunteer efforts and financial support from | ||
| the end user community. That support comes in the form of donations and paid | ||
| sponsorships, software support contracts, paid consulting services | ||
| and commissioned software development. | ||
|
|
||
| Since all these activities support the continued development and improvement | ||
| of OpenSSL we consider all these clients and customers as sponsors of the | ||
| OpenSSL project. | ||
|
|
||
| We would like to identify and thank the following such sponsors for their past | ||
| or current significant support of the OpenSSL project: | ||
|
|
||
| Very significant support: | ||
|
|
||
| OpenGear: www.opengear.com | ||
|
|
||
| Significant support: | ||
|
|
||
| PSW Group: www.psw.net | ||
|
|
||
| Please note that we ask permission to identify sponsors and that some sponsors | ||
| we consider eligible for inclusion here have requested to remain anonymous. | ||
|
|
||
| Additional sponsorship or financial support is always welcome: for more | ||
| information please contact the OpenSSL Software Foundation. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,6 +2,45 @@ | |
| OpenSSL CHANGES | ||
| _______________ | ||
|
|
||
| Changes between 1.0.0c and 1.0.0d [8 Feb 2011] | ||
|
|
||
| *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014 | ||
| [Neel Mehta, Adam Langley, Bodo Moeller (Google)] | ||
|
|
||
| *) Fix bug in string printing code: if *any* escaping is enabled we must | ||
| escape the escape character (backslash) or the resulting string is | ||
| ambiguous. | ||
| [Steve Henson] | ||
|
|
||
| Changes between 1.0.0b and 1.0.0c [2 Dec 2010] | ||
|
|
||
| *) Disable code workaround for ancient and obsolete Netscape browsers | ||
| and servers: an attacker can use it in a ciphersuite downgrade attack. | ||
| Thanks to Martin Rex for discovering this bug. CVE-2010-4180 | ||
| [Steve Henson] | ||
|
|
||
| *) Fixed J-PAKE implementation error, originally discovered by | ||
| Sebastien Martini, further info and confirmation from Stefan | ||
| Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252 | ||
| [Ben Laurie] | ||
|
|
||
| Changes between 1.0.0a and 1.0.0b [16 Nov 2010] | ||
|
|
||
| *) Fix extension code to avoid race conditions which can result in a buffer | ||
| overrun vulnerability: resumed sessions must not be modified as they can | ||
| be shared by multiple threads. CVE-2010-3864 | ||
| [Steve Henson] | ||
|
|
||
| *) Fix WIN32 build system to correctly link an ENGINE directory into | ||
| a DLL. | ||
| [Steve Henson] | ||
|
|
||
| Changes between 1.0.0 and 1.0.0a [01 Jun 2010] | ||
|
|
||
| *) Check return value of int_rsa_verify in pkey_rsa_verifyrecover | ||
| (CVE-2010-1633) | ||
| [Steve Henson, Peter-Michael Hager <[email protected]>] | ||
|
|
||
| Changes between 0.9.8n and 1.0.0 [29 Mar 2010] | ||
|
|
||
| *) Add "missing" function EVP_CIPHER_CTX_copy(). This copies a cipher | ||
|
|
@@ -843,6 +882,73 @@ | |
| *) Change 'Configure' script to enable Camellia by default. | ||
| [NTT] | ||
|
|
||
| Changes between 0.9.8q and 0.9.8r [8 Feb 2011] | ||
|
|
||
| *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014 | ||
| [Neel Mehta, Adam Langley, Bodo Moeller (Google)] | ||
|
|
||
| *) Fix bug in string printing code: if *any* escaping is enabled we must | ||
| escape the escape character (backslash) or the resulting string is | ||
| ambiguous. | ||
| [Steve Henson] | ||
|
|
||
| Changes between 0.9.8p and 0.9.8q [2 Dec 2010] | ||
|
|
||
| *) Disable code workaround for ancient and obsolete Netscape browsers | ||
| and servers: an attacker can use it in a ciphersuite downgrade attack. | ||
| Thanks to Martin Rex for discovering this bug. CVE-2010-4180 | ||
| [Steve Henson] | ||
|
|
||
| *) Fixed J-PAKE implementation error, originally discovered by | ||
| Sebastien Martini, further info and confirmation from Stefan | ||
| Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252 | ||
| [Ben Laurie] | ||
|
|
||
| Changes between 0.9.8o and 0.9.8p [16 Nov 2010] | ||
|
|
||
| *) Fix extension code to avoid race conditions which can result in a buffer | ||
| overrun vulnerability: resumed sessions must not be modified as they can | ||
| be shared by multiple threads. CVE-2010-3864 | ||
| [Steve Henson] | ||
|
|
||
| *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939 | ||
| [Steve Henson] | ||
|
|
||
| *) Don't reencode certificate when calculating signature: cache and use | ||
| the original encoding instead. This makes signature verification of | ||
| some broken encodings work correctly. | ||
| [Steve Henson] | ||
|
|
||
| *) ec2_GF2m_simple_mul bugfix: compute correct result if the output EC_POINT | ||
| is also one of the inputs. | ||
| [Emilia K�sper <[email protected]> (Google)] | ||
|
|
||
| *) Don't repeatedly append PBE algorithms to table if they already exist. | ||
| Sort table on each new add. This effectively makes the table read only | ||
| after all algorithms are added and subsequent calls to PKCS12_pbe_add | ||
| etc are non-op. | ||
| [Steve Henson] | ||
|
|
||
| Changes between 0.9.8n and 0.9.8o [01 Jun 2010] | ||
|
|
||
| [NB: OpenSSL 0.9.8o and later 0.9.8 patch levels were released after | ||
| OpenSSL 1.0.0.] | ||
|
|
||
| *) Correct a typo in the CMS ASN1 module which can result in invalid memory | ||
| access or freeing data twice (CVE-2010-0742) | ||
| [Steve Henson, Ronald Moesbergen <[email protected]>] | ||
|
|
||
| *) Add SHA2 algorithms to SSL_library_init(). SHA2 is becoming far more | ||
| common in certificates and some applications which only call | ||
| SSL_library_init and not OpenSSL_add_all_algorithms() will fail. | ||
| [Steve Henson] | ||
|
|
||
| *) VMS fixes: | ||
| Reduce copying into .apps and .test in makevms.com | ||
| Don't try to use blank CA certificate in CA.com | ||
| Allow use of C files from original directories in maketests.com | ||
| [Steven M. Schweda" <[email protected]>] | ||
|
|
||
| Changes between 0.9.8m and 0.9.8n [24 Mar 2010] | ||
|
|
||
| *) When rejecting SSL/TLS records due to an incorrect version number, never | ||
|
|
@@ -851,8 +957,8 @@ | |
| - OpenSSL 0.9.8f if 'short' is longer than 16 bits, | ||
| the previous behavior could result in a read attempt at NULL when | ||
| receiving specific incorrect SSL/TLS records once record payload | ||
| protection is active. (CVE-2010-####) | ||
| [Bodo Moeller, Adam Langley] | ||
| protection is active. (CVE-2010-0740) | ||
| [Bodo Moeller, Adam Langley <[email protected]>] | ||
|
|
||
| *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL | ||
| could be crashed if the relevant tables were not present (e.g. chrooted). | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -52,6 +52,9 @@ OpenSSL - Frequently Asked Questions | |
| * Why does the OpenSSL test suite fail in sha512t on x86 CPU? | ||
| * Why does compiler fail to compile sha512.c? | ||
| * Test suite still fails, what to do? | ||
| * I think I've found a bug, what should I do? | ||
| * I'm SURE I've found a bug, how do I report it? | ||
| * I've found a security issue, how do I report it? | ||
|
|
||
| [PROG] Questions about programming with OpenSSL | ||
|
|
||
|
|
@@ -79,7 +82,7 @@ OpenSSL - Frequently Asked Questions | |
| * Which is the current version of OpenSSL? | ||
|
|
||
| The current version is available from <URL: http://www.openssl.org>. | ||
| OpenSSL 1.0.0 was released on Mar 29th, 2010. | ||
| OpenSSL 1.0.0d was released on Feb 8th, 2011. | ||
|
|
||
| In addition to the current stable release, you can also access daily | ||
| snapshots of the OpenSSL development version at <URL: | ||
|
|
@@ -131,7 +134,7 @@ OpenSSL. Information on the OpenSSL mailing lists is available from | |
| * Where can I get a compiled version of OpenSSL? | ||
|
|
||
| You can finder pointers to binary distributions in | ||
| http://www.openssl.org/related/binaries.html . | ||
| <URL: http://www.openssl.org/related/binaries.html> . | ||
|
|
||
| Some applications that use OpenSSL are distributed in binary form. | ||
| When using such an application, you don't need to install OpenSSL | ||
|
|
@@ -463,7 +466,7 @@ administrators. | |
| Other projects do have other policies so you can for example extract the CA | ||
| bundle used by Mozilla and/or modssl as described in this article: | ||
|
|
||
| http://www.mail-archive.com/[email protected]/msg16980.html | ||
| <URL: http://www.mail-archive.com/[email protected]/msg16980.html> | ||
|
|
||
|
|
||
| [BUILD] ======================================================================= | ||
|
|
@@ -505,7 +508,7 @@ when you run the test suite (using "make test"). The message returned is | |
| "bc: 1 not implemented". | ||
|
|
||
| The best way to deal with this is to find another implementation of bc | ||
| and compile/install it. GNU bc (see http://www.gnu.org/software/software.html | ||
| and compile/install it. GNU bc (see <URL: http://www.gnu.org/software/software.html> | ||
| for download instructions) can be safely used, for example. | ||
|
|
||
|
|
||
|
|
@@ -516,7 +519,7 @@ that the OpenSSL bntest throws at it. This gets triggered when you run the | |
| test suite (using "make test"). The message returned is "bc: stack empty". | ||
|
|
||
| The best way to deal with this is to find another implementation of bc | ||
| and compile/install it. GNU bc (see http://www.gnu.org/software/software.html | ||
| and compile/install it. GNU bc (see <URL: http://www.gnu.org/software/software.html> | ||
| for download instructions) can be safely used, for example. | ||
|
|
||
|
|
||
|
|
@@ -709,6 +712,46 @@ never make sense, and tend to emerge when you least expect them. In order | |
| to identify one, drop optimization level, e.g. by editing CFLAG line in | ||
| top-level Makefile, recompile and re-run the test. | ||
|
|
||
| * I think I've found a bug, what should I do? | ||
|
|
||
| If you are a new user then it is quite likely you haven't found a bug and | ||
| something is happening you aren't familiar with. Check this FAQ, the associated | ||
| documentation and the mailing lists for similar queries. If you are still | ||
| unsure whether it is a bug or not submit a query to the openssl-users mailing | ||
| list. | ||
|
|
||
|
|
||
| * I'm SURE I've found a bug, how do I report it? | ||
|
|
||
| Bug reports with no security implications should be sent to the request | ||
| tracker. This can be done by mailing the report to <[email protected]> (or its | ||
| alias <[email protected]>), please note that messages sent to the | ||
| request tracker also appear in the public openssl-dev mailing list. | ||
|
|
||
| The report should be in plain text. Any patches should be sent as | ||
| plain text attachments because some mailers corrupt patches sent inline. | ||
| If your issue affects multiple versions of OpenSSL check any patches apply | ||
| cleanly and, if possible include patches to each affected version. | ||
|
|
||
| The report should be given a meaningful subject line briefly summarising the | ||
| issue. Just "bug in OpenSSL" or "bug in OpenSSL 0.9.8n" is not very helpful. | ||
|
|
||
| By sending reports to the request tracker the bug can then be given a priority | ||
| and assigned to the appropriate maintainer. The history of discussions can be | ||
| accessed and if the issue has been addressed or a reason why not. If patches | ||
| are only sent to openssl-dev they can be mislaid if a team member has to | ||
| wade through months of old messages to review the discussion. | ||
|
|
||
| See also <URL: http://www.openssl.org/support/rt.html> | ||
|
|
||
|
|
||
| * I've found a security issue, how do I report it? | ||
|
|
||
| If you think your bug has security implications then please send it to | ||
| [email protected] if you don't get a prompt reply at least | ||
| acknowledging receipt then resend or mail it directly to one of the | ||
| more active team members (e.g. Steve). | ||
|
|
||
| [PROG] ======================================================================== | ||
|
|
||
| * Is OpenSSL thread-safe? | ||
|
|
@@ -722,7 +765,7 @@ file. | |
| Multi-threaded applications must provide two callback functions to | ||
| OpenSSL by calling CRYPTO_set_locking_callback() and | ||
| CRYPTO_set_id_callback(), for all versions of OpenSSL up to and | ||
| including 0.9.8[abc...]. As of version 0.9.9, CRYPTO_set_id_callback() | ||
| including 0.9.8[abc...]. As of version 1.0.0, CRYPTO_set_id_callback() | ||
| and associated APIs are deprecated by CRYPTO_THREADID_set_callback() | ||
| and friends. This is described in the threads(3) manpage. | ||
|
|
||
|
|
||
Oops, something went wrong.