Release Notes: A race condition was fixed in the TLS server extension code parsing, which could lead to arbitrary code execution. This vulnerability, reported as CVE-2010-3864, affected multi-threaded servers using OpenSSL's internal caching mechanism.
Release Notes: A security vulnerability which could potentially be exploited to bypass key validation, reported as CVE-2010-1633, was resolved.
Release Notes: Connection renegotiation was vastly improved to overcome protocol weaknesses. A recently introduced "Record of death" vulnerability was resolved. A possible crash, reported as CVE-2010-0433, was fixed. Some memory leaks were resolved. Initial TLSv1.1 support was added. Handling of TLS versions 2.0 and later was improved, and the highest version is now selected. Support for MD2 has been deprecated. Support for companion-algorithm specific ASN1 signing routines was added. Signature dumping was improved. Many other improvements and minor bugfixes were made.
Release Notes: Fixes to stateless session resumption handling were made. Error return checking was improved for several function calls. Leading 0x80 in OIDs are no longer tolerated. The server certificate chain building code now correctly uses X509_verify_cert(). A potential denial of service attack in dtls1_process_out_of_seq_message() was resolved. Several other bugs were fixed.
Release Notes: Three security flaws of moderate severity were fixed: Printing the contents of an ASN1 certificate with an illegal encoded length could cause an application crash (CVE-2009-0590). CMS verification could cause an invalid set of signed attributes to appear valid (CVE-2009-0591). A malformed ASN1 structure could cause invalid memory access (CVE-2009-0789). Further minor modifications were made.
Release Notes: Several incorrect checks, allowing a malformed signature to be treated as a good signature rather than as an error, were fixed. This vulnerability was reported as CVE-2008-5077. Experimental JPAKE support was implemented. Support for XMPP STARTTLS was added in s_client. Several other minor changes were made.
Release Notes: An incomplete fix for unsafe triple-checked locking was updated. Several precautionary measures were introduced. Support for the Local Machine Keyset attribute in PKCS#12 files was added. Several minor bugs were fixed.
Release Notes: Two crashes discovered using the Codenomicon TLS test suite, as reported in CVE-2008-0891 and CVE-2008-1672, were fixed. The root CA certificates of commercial CAs were removed from the distribution. Functions were added to implement RFC3394 compatible AES key wrapping. Utility functions to handle ASN1 structures were added. The certificate status request TLS extension, as defined in RFC3546, was implemented. Several other bugfixes and enhancements were made.
Release Notes: DTLS interoperation with non-compliant servers was fixed. IA64 assembler code was fixed. Binary incompatibility of the ssl_ctx_st structure was adjusted.
Release Notes: A flaw in the DTLS implementation that could lead to the compromise of clients and servers with DTLS enabled, as reported in CVE-2007-4995, was fixed. An off-by-one error in SSL_get_shared_ciphers(), as reported in CVE-2007-5135, was fixed. Branch prediction attacks were mitigated. Several other bugfixes were made. RFC4507 support was added, including the corrections in RFC4507bis. Initial support for TLS extensions, specifically for the server_name extension, was added.