---
- branch: MAIN
  date: Mon Apr 12 14:19:17 UTC 2010
  files:
  - new: '1.147'
    old: '1.146'
    path: pkgsrc/security/openssl/Makefile
    pathrev: pkgsrc/security/openssl/Makefile@1.147
    type: modified
  - new: '1.74'
    old: '1.73'
    path: pkgsrc/security/openssl/distinfo
    pathrev: pkgsrc/security/openssl/distinfo@1.74
    type: modified
  - new: '0'
    old: '1.1'
    path: pkgsrc/security/openssl/patches/patch-bc
    pathrev: pkgsrc/security/openssl/patches/patch-bc@0
    type: deleted
  id: 20100412T141917Z.a3312f580a95a1c7e88bae7543cc0015eac63339
  log: |
    Update openssl package from 0.9.8m to 0.9.8n.

     Changes between 0.9.8m and 0.9.8n [24 Mar 2010]

      *) When rejecting SSL/TLS records due to an incorrect version number, never
         update s->server with a new major version number.  As of
         - OpenSSL 0.9.8m if 'short' is a 16-bit type,
         - OpenSSL 0.9.8f if 'short' is longer than 16 bits,
         the previous behavior could result in a read attempt at NULL when
         receiving specific incorrect SSL/TLS records once record payload
         protection is active.  (CVE-2010-0740)
         [Bodo Moeller, Adam Langley <agl@chromium.org>]

      *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
         could be crashed if the relevant tables were not present (e.g. chrooted).
         [Tomas Hoger <thoger@redhat.com>]
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/security/openssl'
  unixtime: '1271081957'
  user: taca