OpenSSL v0.9.8.j Release NotesRelease Date: 2009-03-25 // over 12 years ago
- Don't set val to NULL when freeing up structures, it is freed up by
underlying code. If
sizeof(void *) > sizeof(long)this can result in zeroing past the valid field. [CVE-2009-0789]
Paolo Ganci [email protected]
- Fix bug where return value of CMS_SignerInfo_verify_content() was not checked correctly. This would allow some invalid signed attributes to appear to verify correctly. [CVE-2009-0591]
Ivan Nestlerode [email protected]
- Reject UniversalString and BMPString types with invalid lengths. This prevents a crash in ASN1_STRING_print_ex() which assumes the strings have a legal length. [CVE-2009-0590]
- Set S/MIME signing as the default purpose rather than setting it unconditionally. This allows applications to override it at the store level.
- Permit restricted recursion of ASN1 strings. This is needed in practice to handle some structures.
- Improve efficiency of mem_gets: don't search whole buffer each time for a '\n'
Jeremy Shapiro [email protected]
- New -hex option for openssl rand.
- Print out UTF8String and NumericString when parsing ASN1.
- Support NumericString type for name components.
- Allow CC in the environment to override the automatically chosen compiler. Note that nothing is done to ensure flags work with the chosen compiler.
- Don't set val to NULL when freeing up structures, it is freed up by underlying code. If