Skip to content
  1. Oct 23, 2006
  2. Oct 21, 2006
  3. Oct 20, 2006
  4. Oct 19, 2006
  5. Oct 18, 2006
  6. Oct 17, 2006
  7. Oct 11, 2006
  8. Oct 05, 2006
  9. Oct 04, 2006
  10. Oct 03, 2006
  11. Sep 29, 2006
  12. Sep 28, 2006
    • Bodo Möller's avatar
      All 0.9.8d patches have been applied to HEAD now, so we no longer need · 3c5406b3
      Bodo Möller authored
      the redundant entries under the 0.9.9 heading.
      3c5406b3
    • Bodo Möller's avatar
      Introduce limits to prevent malicious keys being able to · 5e3225cc
      Bodo Möller authored
      cause a denial of service.  (CVE-2006-2940)
      [Steve Henson, Bodo Moeller]
      5e3225cc
    • Bodo Möller's avatar
      include 0.9.8d and 0.9.7l information · 61118caa
      Bodo Möller authored
      61118caa
    • Mark J. Cox's avatar
      Fix ASN.1 parsing of certain invalid structures that can result · 348be7ec
      Mark J. Cox authored
      in a denial of service.  (CVE-2006-2937)  [Steve Henson]
      348be7ec
    • Mark J. Cox's avatar
      Fix buffer overflow in SSL_get_shared_ciphers() function. · 3ff55e96
      Mark J. Cox authored
      (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]
      
      Fix SSL client code which could crash if connecting to a
       malicious SSLv2 server.  (CVE-2006-4343)
      [Tavis Ormandy and Will Drewry, Google Security Team]
      3ff55e96
    • Richard Levitte's avatar
      Fixes for the following claims: · cbb92dfa
      Richard Levitte authored
        1) Certificate Message with no certs
      
        OpenSSL implementation sends the Certificate message during SSL
        handshake, however as per the specification, these have been omitted.
      
        -- RFC 2712 --
           CertificateRequest, and the ServerKeyExchange shown in Figure 1
           will be omitted since authentication and the establishment of a
           master secret will be done using the client's Kerberos credentials
           for the TLS server.  The client's certificate will be omitted for
           the same reason.
        -- RFC 2712 --
      
        3) Pre-master secret Protocol version
      
        The pre-master secret generated by OpenSSL does not have the correct
        client version.
      
        RFC 2712 says, if the Kerberos option is selected, the pre-master
        secret structure is the same as that used in the RSA case.
      
        TLS specification defines pre-master secret as:
               struct {
                   ProtocolVersion client_version;
                   opaque random[46];
               } PreMasterSecret;
      
        where client_version is the latest protocol version supported by the
        client
      
        The pre-master secret generated by OpenSSL does not have the correct
        client version. The implementation does not update the first 2 bytes
        of random secret for Kerberos Cipher suites. At the server-end, the
        client version from the pre-master secret is not validated.
      
      PR: 1336
      cbb92dfa
  13. Sep 26, 2006
  14. Sep 25, 2006
  15. Sep 23, 2006
  16. Sep 22, 2006
  17. Sep 21, 2006