Skip to content
  1. May 06, 2014
  2. May 05, 2014
  3. May 04, 2014
  4. May 03, 2014
  5. May 02, 2014
  6. May 01, 2014
  7. Apr 30, 2014
  8. Apr 29, 2014
  9. Apr 27, 2014
  10. Apr 26, 2014
  11. Apr 25, 2014
  12. Apr 24, 2014
  13. Apr 23, 2014
  14. Apr 22, 2014
  15. Apr 21, 2014
  16. Apr 16, 2014
  17. Apr 15, 2014
  18. Apr 11, 2014
  19. Apr 09, 2014
  20. Apr 08, 2014
  21. Apr 07, 2014
    • Dr. Stephen Henson's avatar
      Return if ssleay_rand_add called with zero num. · f74fa33b
      Dr. Stephen Henson authored
      Treat a zero length passed to ssleay_rand_add a no op: the existing logic
      zeroes the md value which is very bad. OpenSSL itself never does this
      internally and the actual call doesn't make sense as it would be passing
      zero bytes of entropy.
      
      Thanks to Marcus Meissner <meissner@suse.de> for reporting this bug.
      (cherry picked from commit 5be1ae28)
      f74fa33b
    • Dr. Stephen Henson's avatar
      Add heartbeat extension bounds check. · 731f4314
      Dr. Stephen Henson authored
      A missing bounds check in the handling of the TLS heartbeat extension
      can be used to reveal up to 64k of memory to a connected client or
      server.
      
      Thanks for Neel Mehta of Google Security for discovering this bug and to
      Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
      preparing the fix (CVE-2014-0160)
      (cherry picked from commit 96db9023)
      731f4314