OpenSSL v0.9.8.j Release Notes

Release Date: 2009-03-25 // over 12 years ago
    • Don't set val to NULL when freeing up structures, it is freed up by underlying code. If sizeof(void *) > sizeof(long) this can result in zeroing past the valid field. [CVE-2009-0789][]

    Paolo Ganci [email protected]

    • Fix bug where return value of CMS_SignerInfo_verify_content() was not checked correctly. This would allow some invalid signed attributes to appear to verify correctly. [CVE-2009-0591][]

    Ivan Nestlerode [email protected]

    • Reject UniversalString and BMPString types with invalid lengths. This prevents a crash in ASN1_STRING_print_ex() which assumes the strings have a legal length. [CVE-2009-0590][]

    Steve Henson

    • Set S/MIME signing as the default purpose rather than setting it unconditionally. This allows applications to override it at the store level.

    Steve Henson

    • Permit restricted recursion of ASN1 strings. This is needed in practice to handle some structures.

    Steve Henson

    • Improve efficiency of mem_gets: don't search whole buffer each time for a '\n'

    Jeremy Shapiro [email protected]

    • New -hex option for openssl rand.

    Matthieu Herrb

    • Print out UTF8String and NumericString when parsing ASN1.

    Steve Henson

    • Support NumericString type for name components.

    Steve Henson

    • Allow CC in the environment to override the automatically chosen compiler. Note that nothing is done to ensure flags work with the chosen compiler.

    Ben Laurie