Update CHANGES and NEWS

 Changes between 1.0.2d and 1.0.2e [xx XXX xxxx]

  *) BN_mod_exp may produce incorrect results on x86_64

     There is a carry propagating bug in the x86_64 Montgomery squaring

     procedure. No EC algorithms are affected. Analysis suggests that attacks

     against RSA and DSA as a result of this defect would be very difficult to

     perform and are not believed likely. Attacks against DH are considered just

     feasible (although very difficult) because most of the work necessary to

     deduce information about a private key may be performed offline. The amount

     of resources required for such an attack would be very significant and

     likely only accessible to a limited number of attackers. An attacker would

     additionally need online access to an unpatched system using the target

     private key in a scenario with persistent DH parameters and a private

     key that is shared between multiple clients. For example this can occur by

     default in OpenSSL DHE based SSL/TLS ciphersuites.

     This issue was reported to OpenSSL by Hanno Böck.

     (CVE-2015-3193)

     [Andy Polyakov]

  *) Certificate verify crash with missing PSS parameter

     The signature verification routines will crash with a NULL pointer

     dereference if presented with an ASN.1 signature using the RSA PSS

     algorithm and absent mask generation function parameter. Since these

     routines are used to verify certificate signature algorithms this can be

     used to crash any certificate verification operation and exploited in a

     DoS attack. Any application which performs certificate verification is

     vulnerable including OpenSSL clients and servers which enable client

     authentication.

     This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG).

     (CVE-2015-3194)

     [Stephen Henson]

  *) X509_ATTRIBUTE memory leak

     When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak

     memory. This structure is used by the PKCS#7 and CMS routines so any

     application which reads PKCS#7 or CMS data from untrusted sources is

     affected. SSL/TLS is not affected.

     This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using

     libFuzzer.

     (CVE-2015-3195)

     [Stephen Henson]

  *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.

     This changes the decoding behaviour for some invalid messages,

     though the change is mostly in the more lenient direction, and

     This issue was reported to OpenSSL by Adam Langley/David Benjamin

     (Google/BoringSSL).

     (CVE-2015-1793)

     [Matt Caswell]

  *) Race condition handling PSK identify hint

     If PSK identity hints are received by a multi-threaded client then

     the values are wrongly updated in the parent SSL_CTX structure. This can

     result in a race condition potentially leading to a double free of the

     identify hint data.

     (CVE-2015-3196)

     [Stephen Henson]

 Changes between 1.0.2b and 1.0.2c [12 Jun 2015]

  *) Fix HMAC ABI incompatibility. The previous version introduced an ABI

  Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [under development]

      o

      o BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)

      o Certificate verify crash with missing PSS parameter (CVE-2015-3194)

      o X509_ATTRIBUTE memory leak (CVE-2015-3195)

      o Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs

      o In DSA_generate_parameters_ex, if the provided seed is too short,

        return an error

  Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [9 Jul 2015]

      o Alternate chains certificate forgery (CVE-2015-1793)

      o Race condition handling PSK identify hint (CVE-2015-3196)

  Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015]