Newsflash |  State |  Release Notes |  ChangeLog |  Vulnerabilities 


OpenSSL 0.9.8 Branch Release notes

The major changes and known issues for the 0.9.8 branch of the OpenSSL toolkit are summarised below. The contents reflect the current state of the NEWS file inside the git repository.

Additional details of changes can be found in the change log..

The complete list of changes can be found in the commit log.

Major changes between OpenSSL 0.9.8zg and OpenSSL 0.9.8zh [under development]

Major changes between OpenSSL 0.9.8zf and OpenSSL 0.9.8zg [11 Jun 2015] Major changes between OpenSSL 0.9.8ze and OpenSSL 0.9.8zf [19 Mar 2015]
  • Segmentation fault in ASN1_TYPE_cmp fix (CVE-2015-0286)
  • ASN.1 structure reuse memory corruption fix (CVE-2015-0287)
  • PKCS7 NULL pointer dereferences fix (CVE-2015-0289)
  • DoS via reachable assert in SSLv2 servers fix (CVE-2015-0293)
  • Use After Free following d2i_ECPrivatekey error fix (CVE-2015-0209)
  • X509_to_X509_REQ NULL pointer deref fix (CVE-2015-0288)
  • Removed the export ciphers from the DEFAULT ciphers
Major changes between OpenSSL 0.9.8zd and OpenSSL 0.9.8ze [15 Jan 2015]
  • Build fixes for the Windows and OpenVMS platforms
Major changes between OpenSSL 0.9.8zc and OpenSSL 0.9.8zd [8 Jan 2015] Major changes between OpenSSL 0.9.8zb and OpenSSL 0.9.8zc [15 Oct 2014]: Major changes between OpenSSL 0.9.8za and OpenSSL 0.9.8zb [6 Aug 2014]: Known issues in OpenSSL 0.9.8za:
  • Compilation failure of s3_pkt.c on some platforms due to missing <limits.h> include. Fixed in 0.9.8zb-dev.
  • FIPS capable link failure with missing symbol BN_consttime_swap. Fixed in 0.9.8zb-dev. Workaround is to compile with no-ec: the EC algorithms are not FIPS approved in OpenSSL 0.9.8 anyway.
Major changes between OpenSSL 0.9.8y and OpenSSL 0.9.8za [5 Jun 2014]: Major changes between OpenSSL 0.9.8x and OpenSSL 0.9.8y [5 Feb 2013]: Major changes between OpenSSL 0.9.8w and OpenSSL 0.9.8x [10 May 2012]: Major changes between OpenSSL 0.9.8v and OpenSSL 0.9.8w [23 Apr 2012]: Major changes between OpenSSL 0.9.8u and OpenSSL 0.9.8v [19 Apr 2012]: Major changes between OpenSSL 0.9.8t and OpenSSL 0.9.8u [12 Mar 2012]: Major changes between OpenSSL 0.9.8s and OpenSSL 0.9.8t [18 Jan 2012]: Major changes between OpenSSL 0.9.8r and OpenSSL 0.9.8s [4 Jan 2012]: Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r [8 Feb 2011]: Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q [2 Dec 2010]: Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p [16 Nov 2010]: Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o [1 Jun 2010]:
  • Fix for security issue CVE-2010-0742.
  • Various DTLS fixes.
  • Recognise SHA2 certificates if only SSL algorithms added.
  • Fix for no-rc4 compilation.
  • Chil ENGINE unload workaround.
Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n [24 Mar 2010]: Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m [25 Feb 2010]:
  • Cipher definition fixes.
  • Workaround for slow RAND_poll() on some WIN32 versions.
  • Remove MD2 from algorithm tables.
  • SPKAC handling fixes.
  • Support for RFC5746 TLS renegotiation extension.
  • Compression memory leak fixed.
  • Compression session resumption fixed.
  • Ticket and SNI coexistence fixes.
  • Many fixes to DTLS handling.
Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l [5 Nov 2009]:
  • Temporary work around for CVE-2009-3555: disable renegotiation.
Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k [25 Mar 2009]: Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j [7 Jan 2009]:
  • Fix security issue (CVE-2008-5077)
  • Merge FIPS 140-2 branch code.
Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h [28 May 2008]:
  • CryptoAPI ENGINE support.
  • Various precautionary measures.
  • Fix for bugs affecting certificate request creation.
  • Support for local machine keyset attribute in PKCS#12 files.
Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g [19 Oct 2007]:
  • Backport of CMS functionality to 0.9.8.
  • Fixes for bugs introduced with 0.9.8f.
Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f [11 Oct 2007]:
  • Add gcc 4.2 support.
  • Add support for AES and SSE2 assembly lanugauge optimization for VC++ build.
  • Support for RFC4507bis and server name extensions if explicitly selected at compile time.
  • DTLS improvements.
  • RFC4507bis support.
  • TLS Extensions support.
Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e [23 Feb 2007]:
  • Various ciphersuite selection fixes.
  • RFC3779 support.
Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d [28 Sep 2006]: Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c [5 Sep 2006]:
  • Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339
  • New cipher Camellia
Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b [4 May 2006]:
  • Cipher string fixes.
  • Fixes for VC++ 2005.
  • Updated ECC cipher suite support.
  • New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free().
  • Zlib compression usage fixes.
  • Built in dynamic engine compilation support on Win32.
  • Fixes auto dynamic engine loading in Win32.
Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a [11 Oct 2005]:
  • Fix potential SSL 2.0 rollback, CVE-2005-2969
  • Extended Windows CE support
Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8 [5 Jul 2005]:
  • Major work on the BIGNUM library for higher efficiency and to make operations more streamlined and less contradictory. This is the result of a major audit of the BIGNUM library.
  • Addition of BIGNUM functions for fields GF(2^m) and NIST curves, to support the Elliptic Crypto functions.
  • Major work on Elliptic Crypto; ECDH and ECDSA added, including the use through EVP, X509 and ENGINE.
  • New ASN.1 mini-compiler that's usable through the OpenSSL configuration file.
  • Added support for ASN.1 indefinite length constructed encoding.
  • New PKCS#12 'medium level' API to manipulate PKCS#12 files.
  • Complete rework of shared library construction and linking programs with shared or static libraries, through a separate Makefile.shared.
  • Rework of the passing of parameters from one Makefile to another.
  • Changed ENGINE framework to load dynamic engine modules automatically from specifically given directories.
  • New structure and ASN.1 functions for CertificatePair.
  • Changed the ZLIB compression method to be stateful.
  • Changed the key-generation and primality testing "progress" mechanism to take a structure that contains the ticker function and an argument.
  • New engine module: GMP (performs private key exponentiation).
  • New engine module: VIA PadLOck ACE extension in VIA C3 Nehemiah processors.
  • Added support for IPv6 addresses in certificate extensions. See RFC 1884, section 2.2.
  • Added support for certificate policy mappings, policy constraints and name constraints.
  • Added support for multi-valued AVAs in the OpenSSL configuration file.
  • Added support for multiple certificates with the same subject in the 'openssl ca' index file.
  • Make it possible to create self-signed certificates using 'openssl ca -selfsign'.
  • Make it possible to generate a serial number file with 'openssl ca -create_serial'.
  • New binary search functions with extended functionality.
  • New BUF functions.
  • New STORE structure and library to provide an interface to all sorts of data repositories. Supports storage of public and private keys, certificates, CRLs, numbers and arbitrary blobs. This library is unfortunately unfinished and unused withing OpenSSL.
  • New control functions for the error stack.
  • Changed the PKCS#7 library to support one-pass S/MIME processing.
  • Added the possibility to compile without old deprecated functionality with the OPENSSL_NO_DEPRECATED macro or the 'no-deprecated' argument to the config and Configure scripts.
  • Constification of all ASN.1 conversion functions, and other affected functions.
  • Improved platform support for PowerPC.
  • New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512).
  • New X509_VERIFY_PARAM structure to support parametrisation of X.509 path validation.
  • Major overhaul of RC4 performance on Intel P4, IA-64 and AMD64.
  • Changed the Configure script to have some algorithms disabled by default. Those can be explicitely enabled with the new argument form 'enable-xxx'.
  • Change the default digest in 'openssl' commands from MD5 to SHA-1.
  • Added support for DTLS.
  • New BIGNUM blinding.
  • Added support for the RSA-PSS encryption scheme
  • Added support for the RSA X.931 padding.
  • Added support for BSD sockets on NetWare.
  • Added support for files larger than 2GB.
  • Added initial support for Win64.
  • Added alternate pkg-config files.