path: root/CHANGES
diff options
Diffstat (limited to 'CHANGES')
1 files changed, 36 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index 7ea3d2b82322..37dd60b726ee 100644
@@ -7,6 +7,38 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
+ Changes between 1.1.1h and 1.1.1i [8 Dec 2020]
+ *) Fixed NULL pointer deref in the GENERAL_NAME_cmp function
+ This function could crash if both GENERAL_NAMEs contain an EDIPARTYNAME.
+ If an attacker can control both items being compared then this could lead
+ to a possible denial of service attack. OpenSSL itself uses the
+ GENERAL_NAME_cmp function for two purposes:
+ 1) Comparing CRL distribution point names between an available CRL and a
+ CRL distribution point embedded in an X509 certificate
+ 2) When verifying that a timestamp response token signer matches the
+ timestamp authority name (exposed via the API functions
+ TS_RESP_verify_response and TS_RESP_verify_token)
+ (CVE-2020-1971)
+ [Matt Caswell]
+ *) Add support for Apple Silicon M1 Macs with the darwin64-arm64-cc target.
+ [Stuart Carnie]
+ *) The security callback, which can be customised by application code, supports
+ the security operation SSL_SECOP_TMP_DH. This is defined to take an EVP_PKEY
+ in the "other" parameter. In most places this is what is passed. All these
+ places occur server side. However there was one client side call of this
+ security operation and it passed a DH object instead. This is incorrect
+ according to the definition of SSL_SECOP_TMP_DH, and is inconsistent with all
+ of the other locations. Therefore this client side call has been changed to
+ pass an EVP_PKEY instead.
+ [Matt Caswell]
+ *) In 1.1.1h, an expired trusted (root) certificate was not anymore rejected
+ when validating a certificate path. This check is restored in 1.1.1i.
+ [David von Oheimb]
Changes between 1.1.1g and 1.1.1h [22 Sep 2020]
*) Certificates with explicit curve parameters are now disallowed in
@@ -32,6 +64,10 @@
on renegotiation.
[Tomas Mraz]
+ *) Accidentally, an expired trusted (root) certificate is not anymore rejected
+ when validating a certificate path.
+ [David von Oheimb]
*) The Oracle Developer Studio compiler will start reporting deprecated APIs
Changes between 1.1.1f and 1.1.1g [21 Apr 2020]