All releases of OpenSSL
Release Notes: This release fixed a DTLS DoS issue which was recently introduced by the fix for CVE-2011-4109.
Release Notes: A fix was introduced for a security issue where an extension of the Vaudenay padding oracle attack on CBC mode encryption enables an efficient plaintext recovery attack against the OpenSSL implementation of DTLS. This issue was originally reported as CVE-2011-4108. Various other bugfixes and improvements were made.
Release Notes: Initialization of X509_STORE_CTX was fixed to eliminate a case where CRLs with "nextUpdate" in the past were sometimes accepted. (This was reported as CVE-2011-3207.) An error in SSL memory handling for (EC)DH ciphersuites was fixed (CVE-2011-3210). A memory leak on bad inputs to x509_name_ex_d2i was fixed. Some ECC ciphersuites are no longer restricted to SHA1. Protection against ECDSA timing attacks was introduced.
Release Notes: Parsing of the OCSP stapling ClientHello extension was fixed. This issue was reported as CVE-2011-0014. A bug in string printing code, where the escape character itself was not escaped, was fixed.
Release Notes: An error was fixed in the experimental J-PAKE implementation, which could lead to successful validation by someone with no knowledge of the shared secret. This issue was reported as CVE-2010-4252. An old bug in a workaround that allowed malicious clients to modify the stored session cache ciphersuite was fixed. This issue was reported as CVE-2010-4180.
Release Notes: A race condition was fixed in the TLS server extension code parsing, which could lead to arbitrary code execution. This vulnerability, reported as CVE-2010-3864, affected multi-threaded servers using OpenSSL's internal caching mechanism.
Release Notes: A security vulnerability which could potentially be exploited to bypass key validation, reported as CVE-2010-1633, was resolved.
Release Notes: Connection renegotiation was vastly improved to overcome protocol weaknesses. A recently introduced "Record of death" vulnerability was resolved. A possible crash, reported as CVE-2010-0433, was fixed. Some memory leaks were resolved. Initial TLSv1.1 support was added. Handling of TLS versions 2.0 and later was improved, and the highest version is now selected. Support for MD2 has been deprecated. Support for companion-algorithm specific ASN1 signing routines was added. Signature dumping was improved. Many other improvements and minor bugfixes were made.
Release Notes: Fixes to stateless session resumption handling were made. Error return checking was improved for several function calls. Leading 0x80 in OIDs are no longer tolerated. The server certificate chain building code now correctly uses X509_verify_cert(). A potential denial of service attack in dtls1_process_out_of_seq_message() was resolved. Several other bugs were fixed.
Release Notes: Three security flaws of moderate severity were fixed: Printing the contents of an ASN1 certificate with an illegal encoded length could cause an application crash (CVE-2009-0590). CMS verification could cause an invalid set of signed attributes to appear valid (CVE-2009-0591). A malformed ASN1 structure could cause invalid memory access (CVE-2009-0789). Further minor modifications were made.
