Skip to content
  1. Oct 27, 2006
  3. Oct 19, 2006
  5. Oct 05, 2006
  7. Oct 04, 2006
  9. Sep 29, 2006
  11. Sep 28, 2006
    • Bodo Möller's avatar
      fix typo · 0c66d3ae
      Bodo Möller authored
      0c66d3ae
    • Bodo Möller's avatar
      for completeness, include 0.9.7l information · bd869183
      Bodo Möller authored
      bd869183
    • Richard Levitte's avatar
      Fixes for the following claims: · 7e2bf831
      Richard Levitte authored 
        1) Certificate Message with no certs

  OpenSSL implementation sends the Certificate message during SSL
  handshake, however as per the specification, these have been omitted.

  -- RFC 2712 --
     CertificateRequest, and the ServerKeyExchange shown in Figure 1
     will be omitted since authentication and the establishment of a
     master secret will be done using the client's Kerberos credentials
     for the TLS server.  The client's certificate will be omitted for
     the same reason.
  -- RFC 2712 --

  3) Pre-master secret Protocol version

  The pre-master secret generated by OpenSSL does not have the correct
  client version.

  RFC 2712 says, if the Kerberos option is selected, the pre-master
  secret structure is the same as that used in the RSA case.

  TLS specification defines pre-master secret as:
         struct {
             ProtocolVersion client_version;
             opaque random[46];
         } PreMasterSecret;

  where client_version is the latest protocol version supported by the
  client

  The pre-master secret generated by OpenSSL does not have the correct
  client version. The implementation does not update the first 2 bytes
  of random secret for Kerberos Cipher suites. At the server-end, the
  client version from the pre-master secret is not validated.

PR: 1336
      7e2bf831
    • Mark J. Cox's avatar
      After tagging, bump ready for 0.9.8e development · 25e52a78
      Mark J. Cox authored
      25e52a78
    • Mark J. Cox's avatar
      Prepare for 0.9.8d release · 47c4bb2d
      Mark J. Cox authored
      OpenSSL_0_9_8d
      47c4bb2d
    • Mark J. Cox's avatar
      Introduce limits to prevent malicious keys being able to · 951dfbb1
      Mark J. Cox authored 
      cause a denial of service.  (CVE-2006-2940)
[Steve Henson, Bodo Moeller]

Fix ASN.1 parsing of certain invalid structures that can result
in a denial of service.  (CVE-2006-2937)  [Steve Henson]

Fix buffer overflow in SSL_get_shared_ciphers() function.
(CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]

Fix SSL client code which could crash if connecting to a
malicious SSLv2 server.  (CVE-2006-4343)
[Tavis Ormandy and Will Drewry, Google Security Team]
      951dfbb1
  13. Sep 23, 2006
  15. Sep 22, 2006
  17. Sep 18, 2006
  19. Sep 12, 2006
  21. Sep 11, 2006
  23. Sep 06, 2006
  25. Sep 05, 2006
  27. Aug 31, 2006
  29. Aug 28, 2006
  31. Aug 01, 2006
  33. Jul 31, 2006
  35. Jul 19, 2006
  37. Jul 13, 2006
  39. Jul 09, 2006
  41. Jul 02, 2006
  43. Jun 30, 2006
  45. Jun 28, 2006