Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
*) Fix for TLS record tampering bug. A carefully crafted invalid
handshake could crash OpenSSL with a NULL pointer exception.
Thanks to Anton Johansson for reporting this issues.
(CVE-2013-4353)
*) Keep original DTLS digest and encryption contexts in retransmission
structures so we can use the previous session parameters if they need
to be resent. (CVE-2013-6450)
[Steve Henson]
*) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
avoids preferring ECDHE-ECDSA ciphers when the client appears to be
Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for
several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
[Rob Stradling, Adam Langley]
Note:
Despite the fact that openssl's "Configure" script seems to offer support
for MIT Kerberos and Heimdal only the MIT flavour is officially supported!
Note:
This is needed to solve the possible circular dependency with kerberos
implementations like MIT kerberos (krb5 package) or Heimdal (heimdal
package).
New gas requires sign extention in lea instruction. This resolves md5-x86_64.pl
and sha1-x86_64.pl bugs, but without modifying the code. PR: 2094,2095
http://cvs.openssl.org/chngview?cn=18869
Fix for out range of signed 32bit displacement error on newer binutils in file
sha1-x86_64.pl.
http://cvs.openssl.org/chngview?cn=18864
CVE-2008-1678 (Medium) :
Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f
through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via
multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server
mod_ssl that specify a compression algorithm.
Christian Wiese
Alejandro Mery
Alejandro Mery
Christian Wiese
Aldas Nabazas
Christian Wiese