OpenSSL v0.9.7.k Release NotesRelease Date: 2006-09-28 // almost 16 years ago
- Introduce limits to prevent malicious keys being able to cause a denial of service. [CVE-2006-2940]
Steve Henson, Bodo Moeller
Fix ASN.1 parsing of certain invalid structures that can result in a denial of service. [CVE-2006-2937] [Steve Henson]
Fix buffer overflow in SSL_get_shared_ciphers() function. [CVE-2006-3738] [Tavis Ormandy and Will Drewry, Google Security Team]
Fix SSL client code which could crash if connecting to a malicious SSLv2 server. [CVE-2006-4343]
Tavis Ormandy and Will Drewry, Google Security Team
- Change ciphersuite string processing so that an explicit ciphersuite selects this one ciphersuite (so that "AES256-SHA" will no longer include "AES128-SHA"), and any other similar ciphersuite (same bitmap) from other protocol versions (so that "RC4-MD5" will still include both the SSL 2.0 ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite). This is a backport combining changes from 0.9.8b and 0.9.8d.