Update for 0.9.8s and 1.0.0f.

     and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577)

     [Rob Austein <sra@hactrn.net>]

  *) Improved PRNG seeding for VOS.

     [Paul Green <Paul.Green@stratus.com>]

  *) Fix ssl_ciph.c set-up race.

     [Adam Langley (Google)]

  *) Change 'Configure' script to enable Camellia by default.

     [NTT]

 Changes between 0.9.8r and 0.9.8s [xx XXX xxxx]

 Changes between 0.9.8r and 0.9.8s [4 Jan 2012]

  *) Nadhem Alfardan and Kenny Paterson have discovered an extension

     of the Vaudenay padding oracle attack on CBC mode encryption

     which enables an efficient plaintext recovery attack against

     the OpenSSL implementation of DTLS. Their attack exploits timing

     differences arising during decryption processing. A research

     paper describing this attack can be found at:

                  http://www.isg.rhul.ac.uk/~kp/dtls.pdf

     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information

     Security Group at Royal Holloway, University of London

     (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann

     <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>

     for preparing the fix. (CVE-2011-4108)

     [Robin Seggelmann, Michael Tuexen]

  *) Stop policy check failure freeing same buffer twice. (CVE-2011-4109)

     [Ben Laurie, Kasper <ekasper@google.com>]

  *) Clear bytes used for block padding of SSL 3.0 records.

     (CVE-2011-4576)

     [Adam Langley (Google)]

  *) Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619)

     [Adam Langley (Google)]

  *) Prevent malformed RFC3779 data triggering an assertion failure.

     Thanks to Andrew Chi, BBN Technologies, for discovering the flaw

     and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577)

     [Rob Austein <sra@hactrn.net>]

  *) Fix ssl_ciph.c set-up race.

     [Adam Langley (Google)]