[Pkg-openssl-changes] r125 - openssl/branches/openssl0.9.7/debian
Christoph Martin
chrism at costa.debian.org
Wed Apr 5 13:06:56 UTC 2006
Author: chrism
Date: 2006-04-05 13:06:56 +0000 (Wed, 05 Apr 2006)
New Revision: 125
Modified:
openssl/branches/openssl0.9.7/debian/changelog
Log:
0.9.7i release
Modified: openssl/branches/openssl0.9.7/debian/changelog
===================================================================
--- openssl/branches/openssl0.9.7/debian/changelog 2006-03-14 20:02:58 UTC (rev 124)
+++ openssl/branches/openssl0.9.7/debian/changelog 2006-04-05 13:06:56 UTC (rev 125)
@@ -1,3 +1,29 @@
+openssl097 (0.9.7i-1) unstable; urgency=high
+
+ * New upstream release
+ * Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
+ (part of SSL_OP_ALL). This option used to disable the
+ countermeasure against man-in-the-middle protocol-version
+ rollback in the SSL 2.0 server implementation, which is a bad
+ idea. (CAN-2005-2969)
+ * For DSA signing, unless DSA_FLAG_NO_EXP_CONSTTIME is set, perform
+ the exponentiation using a fixed-length exponent. (Otherwise,
+ the information leaked through timing could expose the secret key
+ after many signatures; cf. Bleichenbacher's attack on DSA with
+ biased k.)
+ * Make a new fixed-window mod_exp implementation the default for
+ RSA, DSA, and DH private-key operations so that the sequence of
+ squares and multiplies and the memory access pattern are
+ independent of the particular secret key. This will mitigate
+ cache-timing and potential related attacks.
+ * Change the client implementation for SSLv23_method() and
+ SSLv23_client_method() so that is uses the SSL 3.0/TLS 1.0
+ Client Hello message format if the SSL_OP_NO_SSLv2 option is set.
+ (Previously, the SSL 2.0 backwards compatible Client Hello
+ message format would be used even with SSL_OP_NO_SSLv2.)
+
+ -- Christoph Martin <christoph.martin at uni-mainz.de> Tue, 4 Apr 2006 10:39:20 +0200
+
openssl097 (0.9.7g-5) unstable; urgency=medium
* Add the shlibs for libcrypto again, removed by accident.
More information about the Pkg-openssl-changes
mailing list