Update CHANGES and NEWS for release of 1.1.1g

Reviewed-by: Richard Levitte <levitte@openssl.org>
2020-04-21 10:33:43 +01:00 · 2020-04-21 10:33:43 +01:00 · 23424be835
parent bb19162558
commit 23424be835
2 changed files with 11 additions and 1 deletions
--- a/10
+++ b/10
@ -9,6 +9,16 @@

 Changes between 1.1.1f and 1.1.1g [xx XXX xxxx]

+  *) Fixed segmentation fault in SSL_check_chain()
+     Server or client applications that call the SSL_check_chain() function
+     during or after a TLS 1.3 handshake may crash due to a NULL pointer
+     dereference as a result of incorrect handling of the
+     "signature_algorithms_cert" TLS extension. The crash occurs if an invalid
+     or unrecognised signature algorithm is received from the peer. This could
+     be exploited by a malicious peer in a Denial of Service attack.
+     (CVE-2020-1967)
+     [Benjamin Kaduk]
+
  *) Added AES consttime code for no-asm configurations
     an optional constant time support for AES was added
     when building openssl for no-asm.
--- a/2
+++ b/2
@ -7,7 +7,7 @@

  Major changes between OpenSSL 1.1.1f and OpenSSL 1.1.1g [under development]

-      o
+      o Fixed segmentation fault in SSL_check_chain() (CVE-2020-1967)

  Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [31 Mar 2020]