1. 03 10月, 2006 1 次提交
  2. 29 9月, 2006 1 次提交
  3. 28 9月, 2006 6 次提交
    • B
      All 0.9.8d patches have been applied to HEAD now, so we no longer need · 3c5406b3
      Bodo Möller 提交于
      the redundant entries under the 0.9.9 heading.
      3c5406b3
    • B
      Introduce limits to prevent malicious keys being able to · 5e3225cc
      Bodo Möller 提交于
      cause a denial of service.  (CVE-2006-2940)
      [Steve Henson, Bodo Moeller]
      5e3225cc
    • B
      include 0.9.8d and 0.9.7l information · 61118caa
      Bodo Möller 提交于
      61118caa
    • M
      Fix ASN.1 parsing of certain invalid structures that can result · 348be7ec
      Mark J. Cox 提交于
      in a denial of service.  (CVE-2006-2937)  [Steve Henson]
      348be7ec
    • M
      Fix buffer overflow in SSL_get_shared_ciphers() function. · 3ff55e96
      Mark J. Cox 提交于
      (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]
      
      Fix SSL client code which could crash if connecting to a
       malicious SSLv2 server.  (CVE-2006-4343)
      [Tavis Ormandy and Will Drewry, Google Security Team]
      3ff55e96
    • R
      Fixes for the following claims: · cbb92dfa
      Richard Levitte 提交于
        1) Certificate Message with no certs
      
        OpenSSL implementation sends the Certificate message during SSL
        handshake, however as per the specification, these have been omitted.
      
        -- RFC 2712 --
           CertificateRequest, and the ServerKeyExchange shown in Figure 1
           will be omitted since authentication and the establishment of a
           master secret will be done using the client's Kerberos credentials
           for the TLS server.  The client's certificate will be omitted for
           the same reason.
        -- RFC 2712 --
      
        3) Pre-master secret Protocol version
      
        The pre-master secret generated by OpenSSL does not have the correct
        client version.
      
        RFC 2712 says, if the Kerberos option is selected, the pre-master
        secret structure is the same as that used in the RSA case.
      
        TLS specification defines pre-master secret as:
               struct {
                   ProtocolVersion client_version;
                   opaque random[46];
               } PreMasterSecret;
      
        where client_version is the latest protocol version supported by the
        client
      
        The pre-master secret generated by OpenSSL does not have the correct
        client version. The implementation does not update the first 2 bytes
        of random secret for Kerberos Cipher suites. At the server-end, the
        client version from the pre-master secret is not validated.
      
      PR: 1336
      cbb92dfa
  4. 26 9月, 2006 1 次提交
  5. 25 9月, 2006 1 次提交
  6. 24 9月, 2006 1 次提交
  7. 23 9月, 2006 2 次提交
  8. 22 9月, 2006 2 次提交
  9. 21 9月, 2006 6 次提交
  10. 19 9月, 2006 5 次提交
  11. 18 9月, 2006 2 次提交
  12. 17 9月, 2006 1 次提交
  13. 15 9月, 2006 1 次提交
  14. 13 9月, 2006 1 次提交
  15. 12 9月, 2006 1 次提交
  16. 11 9月, 2006 2 次提交
  17. 10 9月, 2006 1 次提交
  18. 08 9月, 2006 1 次提交
  19. 06 9月, 2006 4 次提交