openssl/NEWS.md

NEWS
====

This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.

OpenSSL Releases
----------------

 - [OpenSSL 3.0](#openssl-30)
 - [OpenSSL 1.1.1](#openssl-111)
 - [OpenSSL 1.1.0](#openssl-110)
 - [OpenSSL 1.0.2](#openssl-102)
 - [OpenSSL 1.0.1](#openssl-101)
 - [OpenSSL 1.0.0](#openssl-100)
 - [OpenSSL 0.9.x](#openssl-09x)

OpenSSL 3.0
-----------

### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0 alpha 5 [in pre-release]

  * Deprecated the `ENGINE` API.
  * Added `OPENSSL_CTX`, a libcrypto library context.
  * Interactive mode is removed from the 'openssl' program.
  * The X25519, X448, Ed25519, Ed448 and SHAKE256 algorithms are included in
    the FIPS provider.  None have the "fips=yes" property set and, as such,
    will not be accidentially used.
  * The algorithm specific public key command line applications have
    been deprecated.  These include dhparam, gendsa and others.  The pkey
    alternatives should be used instead: pkey, pkeyparam and genpkey.
  * X509 certificates signed using SHA1 are no longer allowed at security
    level 1 or higher. The default security level for TLS is 1, so
    certificates signed using SHA1 are by default no longer trusted to
    authenticate servers or clients.
  * enable-crypto-mdebug and enable-crypto-mdebug-backtrace were mostly
    disabled; the project uses address sanitize/leak-detect instead.
  * Added a Certificate Management Protocol (CMP, RFC 4210) implementation
    also covering CRMF (RFC 4211) and HTTP transfer (RFC 6712).
    It is part of the crypto lib and adds a 'cmp' app with a demo configuration.
    All widely used CMP features are supported for both clients and servers.
  * Added a proper HTTP(S) client to libcrypto supporting GET and POST,
    redirection, plain and ASN.1-encoded contents, proxies, and timeouts.
  * Added OSSL_SERIALIZER, a generic serializer API.
  * Added OSSL_PARAM_BLD, an easier to use API to OSSL_PARAM.
  * Added error raising macros, ERR_raise() and ERR_raise_data().
  * Deprecated ERR_put_error().
  * Added OSSL_PROVIDER_available(), to check provider availibility.
  * Added 'openssl mac' that uses the EVP_MAC API.
  * Added 'openssl kdf' that uses the EVP_KDF API.
  * Add OPENSSL_info() and 'openssl info' to get built-in data.
  * Add support for enabling instrumentation through trace and debug
    output.
  * Changed our version number scheme and set the next major release to
    3.0.0
  * Added EVP_MAC, an EVP layer MAC API, and a generic EVP_PKEY to EVP_MAC
    bridge.
  * Removed the heartbeat message in DTLS feature.
  * Added EVP_KDF, an EVP layer KDF API, and a generic EVP_PKEY to EVP_KDF
    bridge.
  * All of the low-level MD2, MD4, MD5, MDC2, RIPEMD160, SHA1, SHA224,
    SHA256, SHA384, SHA512 and Whirlpool digest functions have been
    deprecated.
  * All of the low-level AES, Blowfish, Camellia, CAST, DES, IDEA, RC2,
    RC4, RC5 and SEED cipher functions have been deprecated.
  * All of the low-level DH, DSA, ECDH, ECDSA and RSA public key functions
    have been deprecated.
  * SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0.

OpenSSL 1.1.1
-------------

### Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [under development]

  *

### Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [17 Mar 2020]

  * Fixed an overflow bug in the x64_64 Montgomery squaring procedure
    used in exponentiation with 512-bit moduli ([CVE-2019-1551][])

### Major changes between OpenSSL 1.1.1c and OpenSSL 1.1.1d [10 Sep 2019]

  * Fixed a fork protection issue ([CVE-2019-1549][])
  * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
    ([CVE-2019-1563][])
  * For built-in EC curves, ensure an EC_GROUP built from the curve name is
    used even when parsing explicit parameters
  * Compute ECC cofactors if not provided during EC_GROUP construction
    ([CVE-2019-1547][])
  * Early start up entropy quality from the DEVRANDOM seed source has been
    improved for older Linux systems
  * Correct the extended master secret constant on EBCDIC systems
  * Use Windows installation paths in the mingw builds ([CVE-2019-1552][])
  * Changed DH_check to accept parameters with order q and 2q subgroups
  * Significantly reduce secure memory usage by the randomness pools
  * Revert the DEVRANDOM_WAIT feature for Linux systems

### Major changes between OpenSSL 1.1.1b and OpenSSL 1.1.1c [28 May 2019]

  * Prevent over long nonces in ChaCha20-Poly1305 ([CVE-2019-1543][])

### Major changes between OpenSSL 1.1.1a and OpenSSL 1.1.1b [26 Feb 2019]

  * Change the info callback signals for the start and end of a post-handshake
    message exchange in TLSv1.3.
  * Fix a bug in DTLS over SCTP. This breaks interoperability with older
    versions of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2.

### Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018]

  * Timing vulnerability in DSA signature generation ([CVE-2018-0734][])
  * Timing vulnerability in ECDSA signature generation ([CVE-2018-0735][])

### Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.1 [11 Sep 2018]

  * Support for TLSv1.3 added. The TLSv1.3 implementation includes:
    * Fully compliant implementation of RFC8446 (TLSv1.3) on by default
    * Early data (0-RTT)
    * Post-handshake authentication and key update
    * Middlebox Compatibility Mode
    * TLSv1.3 PSKs
    * Support for all five RFC8446 ciphersuites
    * RSA-PSS signature algorithms (backported to TLSv1.2)
    * Configurable session ticket support
    * Stateless server support
    * Rewrite of the packet construction code for "safer" packet handling
    * Rewrite of the extension handling code
    For further important information, see the [TLS1.3 page](
    https://wiki.openssl.org/index.php/TLS1.3) in the OpenSSL Wiki.

  * Complete rewrite of the OpenSSL random number generator to introduce the
    following capabilities
      * The default RAND method now utilizes an AES-CTR DRBG according to
        NIST standard SP 800-90Ar1.
      * Support for multiple DRBG instances with seed chaining.
      * There is a public and private DRBG instance.
      * The DRBG instances are fork-safe.
      * Keep all global DRBG instances on the secure heap if it is enabled.
      * The public and private DRBG instance are per thread for lock free
      operation
  * Support for various new cryptographic algorithms including:
      * SHA3
      * SHA512/224 and SHA512/256
      * EdDSA (both Ed25519 and Ed448) including X509 and TLS support
      * X448 (adding to the existing X25519 support in 1.1.0)
      * Multi-prime RSA
      * SM2
      * SM3
      * SM4
      * SipHash
      * ARIA (including TLS support)
  * Significant Side-Channel attack security improvements
  * Add a new ClientHello callback to provide the ability to adjust the SSL
  object at an early stage.
  * Add 'Maximum Fragment Length' TLS extension negotiation and support
  * A new STORE module, which implements a uniform and URI based reader of
   stores that can contain keys, certificates, CRLs and numerous other
  objects.
  * Move the display of configuration data to configdata.pm.
  * Allow GNU style "make variables" to be used with Configure.
  * Claim the namespaces OSSL and OPENSSL, represented as symbol prefixes
  * Rewrite of devcrypto engine

OpenSSL 1.1.0
-------------

### Major changes between OpenSSL 1.1.0k and OpenSSL 1.1.0l [10 Sep 2019]

  * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
    ([CVE-2019-1563][])
  * For built-in EC curves, ensure an EC_GROUP built from the curve name is
    used even when parsing explicit parameters
  * Compute ECC cofactors if not provided during EC_GROUP construction
    ([CVE-2019-1547][])
  * Use Windows installation paths in the mingw builds ([CVE-2019-1552][])

### Major changes between OpenSSL 1.1.0j and OpenSSL 1.1.0k [28 May 2019]

  * Prevent over long nonces in ChaCha20-Poly1305 ([CVE-2019-1543][])

### Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.0j [20 Nov 2018]

  * Timing vulnerability in DSA signature generation ([CVE-2018-0734][])
  * Timing vulnerability in ECDSA signature generation ([CVE-2018-0735][])

### Major changes between OpenSSL 1.1.0h and OpenSSL 1.1.0i [14 Aug 2018]

  * Client DoS due to large DH parameter ([CVE-2018-0732][])
  * Cache timing vulnerability in RSA Key Generation ([CVE-2018-0737][])

### Major changes between OpenSSL 1.1.0g and OpenSSL 1.1.0h [27 Mar 2018]

  * Constructed ASN.1 types with a recursive definition could exceed the
    stack ([CVE-2018-0739][])
  * Incorrect CRYPTO_memcmp on HP-UX PA-RISC ([CVE-2018-0733][])
  * rsaz_1024_mul_avx2 overflow bug on x86_64 ([CVE-2017-3738][])

### Major changes between OpenSSL 1.1.0f and OpenSSL 1.1.0g [2 Nov 2017]

  * bn_sqrx8x_internal carry bug on x86_64 ([CVE-2017-3736][])
  * Malformed X.509 IPAddressFamily could cause OOB read ([CVE-2017-3735][])

### Major changes between OpenSSL 1.1.0e and OpenSSL 1.1.0f [25 May 2017]

  * config now recognises 64-bit mingw and chooses mingw64 instead of mingw

### Major changes between OpenSSL 1.1.0d and OpenSSL 1.1.0e [16 Feb 2017]

  * Encrypt-Then-Mac renegotiation crash ([CVE-2017-3733][])

### Major changes between OpenSSL 1.1.0c and OpenSSL 1.1.0d [26 Jan 2017]

  * Truncated packet could crash via OOB read ([CVE-2017-3731][])
  * Bad (EC)DHE parameters cause a client crash ([CVE-2017-3730][])
  * BN_mod_exp may produce incorrect results on x86_64 ([CVE-2017-3732][])

### Major changes between OpenSSL 1.1.0b and OpenSSL 1.1.0c [10 Nov 2016]

  * ChaCha20/Poly1305 heap-buffer-overflow ([CVE-2016-7054][])
  * CMS Null dereference ([CVE-2016-7053][])
  * Montgomery multiplication may produce incorrect results ([CVE-2016-7055][])

### Major changes between OpenSSL 1.1.0a and OpenSSL 1.1.0b [26 Sep 2016]

  * Fix Use After Free for large message sizes ([CVE-2016-6309][])

### Major changes between OpenSSL 1.1.0 and OpenSSL 1.1.0a [22 Sep 2016]

  * OCSP Status Request extension unbounded memory growth ([CVE-2016-6304][])
  * SSL_peek() hang on empty record ([CVE-2016-6305][])
  * Excessive allocation of memory in tls_get_message_header()
    ([CVE-2016-6307][])
  * Excessive allocation of memory in dtls1_preprocess_fragment()
    ([CVE-2016-6308][])

### Major changes between OpenSSL 1.0.2h and OpenSSL 1.1.0 [25 Aug 2016]

  * Copyright text was shrunk to a boilerplate that points to the license
  * "shared" builds are now the default when possible
  * Added support for "pipelining"
  * Added the AFALG engine
  * New threading API implemented
  * Support for ChaCha20 and Poly1305 added to libcrypto and libssl
  * Support for extended master secret
  * CCM ciphersuites
  * Reworked test suite, now based on perl, Test::Harness and Test::More
  * *Most* libcrypto and libssl public structures were made opaque,
    including:
    BIGNUM and associated types, EC_KEY and EC_KEY_METHOD,
    DH and DH_METHOD, DSA and DSA_METHOD, RSA and RSA_METHOD,
    BIO and BIO_METHOD, EVP_MD_CTX, EVP_MD, EVP_CIPHER_CTX,
    EVP_CIPHER, EVP_PKEY and associated types, HMAC_CTX,
    X509, X509_CRL, X509_OBJECT, X509_STORE_CTX, X509_STORE,
    X509_LOOKUP, X509_LOOKUP_METHOD
  * libssl internal structures made opaque
  * SSLv2 support removed
  * Kerberos ciphersuite support removed
  * RC4 removed from DEFAULT ciphersuites in libssl
  * 40 and 56 bit cipher support removed from libssl
  * All public header files moved to include/openssl, no more symlinking
  * SSL/TLS state machine, version negotiation and record layer rewritten
  * EC revision: now operations use new EC_KEY_METHOD.
  * Support for OCB mode added to libcrypto
  * Support for asynchronous crypto operations added to libcrypto and libssl
  * Deprecated interfaces can now be disabled at build time either
    relative to the latest release via the "no-deprecated" Configure
    argument, or via the "--api=1.1.0|1.0.0|0.9.8" option.
  * Application software can be compiled with -DOPENSSL_API_COMPAT=version
    to ensure that features deprecated in that version are not exposed.
  * Support for RFC6698/RFC7671 DANE TLSA peer authentication
  * Change of Configure to use --prefix as the main installation
    directory location rather than --openssldir.  The latter becomes
    the directory for certs, private key and openssl.cnf exclusively.
  * Reworked BIO networking library, with full support for IPv6.
  * New "unified" build system
  * New security levels
  * Support for scrypt algorithm
  * Support for X25519
  * Extended SSL_CONF support using configuration files
  * KDF algorithm support. Implement TLS PRF as a KDF.
  * Support for Certificate Transparency
  * HKDF support.

OpenSSL 1.0.2
-------------

### Major changes between OpenSSL 1.0.2s and OpenSSL 1.0.2t [10 Sep 2019]

  * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
    ([CVE-2019-1563][])
  * For built-in EC curves, ensure an EC_GROUP built from the curve name is
    used even when parsing explicit parameters
  * Compute ECC cofactors if not provided during EC_GROUP construction
    ([CVE-2019-1547][])
  * Document issue with installation paths in diverse Windows builds
    ([CVE-2019-1552][])

### Major changes between OpenSSL 1.0.2r and OpenSSL 1.0.2s [28 May 2019]

  * None

### Major changes between OpenSSL 1.0.2q and OpenSSL 1.0.2r [26 Feb 2019]

  * 0-byte record padding oracle ([CVE-2019-1559][])

### Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [20 Nov 2018]

  * Microarchitecture timing vulnerability in ECC scalar multiplication ([CVE-2018-5407][])
  * Timing vulnerability in DSA signature generation ([CVE-2018-0734][])

### Major changes between OpenSSL 1.0.2o and OpenSSL 1.0.2p [14 Aug 2018]

  * Client DoS due to large DH parameter ([CVE-2018-0732][])
  * Cache timing vulnerability in RSA Key Generation ([CVE-2018-0737][])

### Major changes between OpenSSL 1.0.2n and OpenSSL 1.0.2o [27 Mar 2018]

  * Constructed ASN.1 types with a recursive definition could exceed the
    stack ([CVE-2018-0739][])

### Major changes between OpenSSL 1.0.2m and OpenSSL 1.0.2n [7 Dec 2017]

  * Read/write after SSL object in error state ([CVE-2017-3737][])
  * rsaz_1024_mul_avx2 overflow bug on x86_64 ([CVE-2017-3738][])

### Major changes between OpenSSL 1.0.2l and OpenSSL 1.0.2m [2 Nov 2017]

  * bn_sqrx8x_internal carry bug on x86_64 ([CVE-2017-3736][])
  * Malformed X.509 IPAddressFamily could cause OOB read ([CVE-2017-3735][])

### Major changes between OpenSSL 1.0.2k and OpenSSL 1.0.2l [25 May 2017]

  * config now recognises 64-bit mingw and chooses mingw64 instead of mingw

### Major changes between OpenSSL 1.0.2j and OpenSSL 1.0.2k [26 Jan 2017]

  * Truncated packet could crash via OOB read ([CVE-2017-3731][])
  * BN_mod_exp may produce incorrect results on x86_64 ([CVE-2017-3732][])
  * Montgomery multiplication may produce incorrect results ([CVE-2016-7055][])

### Major changes between OpenSSL 1.0.2i and OpenSSL 1.0.2j [26 Sep 2016]

  * Missing CRL sanity check ([CVE-2016-7052][])

### Major changes between OpenSSL 1.0.2h and OpenSSL 1.0.2i [22 Sep 2016]

  * OCSP Status Request extension unbounded memory growth ([CVE-2016-6304][])
  * SWEET32 Mitigation ([CVE-2016-2183][])
  * OOB write in MDC2_Update() ([CVE-2016-6303][])
  * Malformed SHA512 ticket DoS ([CVE-2016-6302][])
  * OOB write in BN_bn2dec() ([CVE-2016-2182][])
  * OOB read in TS_OBJ_print_bio() ([CVE-2016-2180][])
  * Pointer arithmetic undefined behaviour ([CVE-2016-2177][])
  * Constant time flag not preserved in DSA signing ([CVE-2016-2178][])
  * DTLS buffered message DoS ([CVE-2016-2179][])
  * DTLS replay protection DoS ([CVE-2016-2181][])
  * Certificate message OOB reads ([CVE-2016-6306][])

### Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016]

  * Prevent padding oracle in AES-NI CBC MAC check ([CVE-2016-2107][])
  * Fix EVP_EncodeUpdate overflow ([CVE-2016-2105][])
  * Fix EVP_EncryptUpdate overflow ([CVE-2016-2106][])
  * Prevent ASN.1 BIO excessive memory allocation ([CVE-2016-2109][])
  * EBCDIC overread ([CVE-2016-2176][])
  * Modify behavior of ALPN to invoke callback after SNI/servername
    callback, such that updates to the SSL_CTX affect ALPN.
  * Remove LOW from the DEFAULT cipher list.  This removes singles DES from
    the default.
  * Only remove the SSLv2 methods with the no-ssl2-method option.

### Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016]

  * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
  * Disable SSLv2 default build, default negotiation and weak ciphers
    ([CVE-2016-0800][])
  * Fix a double-free in DSA code ([CVE-2016-0705][])
  * Disable SRP fake user seed to address a server memory leak
    ([CVE-2016-0798][])
  * Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
    ([CVE-2016-0797][])
  * Fix memory issues in BIO_*printf functions ([CVE-2016-0799][])
  * Fix side channel attack on modular exponentiation ([CVE-2016-0702][])

### Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016]

  * DH small subgroups ([CVE-2016-0701][])
  * SSLv2 doesn't block disabled ciphers ([CVE-2015-3197][])

### Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015]

  * BN_mod_exp may produce incorrect results on x86_64 ([CVE-2015-3193][])
  * Certificate verify crash with missing PSS parameter ([CVE-2015-3194][])
  * X509_ATTRIBUTE memory leak ([CVE-2015-3195][])
  * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs
  * In DSA_generate_parameters_ex, if the provided seed is too short,
    return an error

### Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [9 Jul 2015]

  * Alternate chains certificate forgery ([CVE-2015-1793][])
  * Race condition handling PSK identify hint ([CVE-2015-3196][])

### Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015]

  * Fix HMAC ABI incompatibility

### Major changes between OpenSSL 1.0.2a and OpenSSL 1.0.2b [11 Jun 2015]

  * Malformed ECParameters causes infinite loop ([CVE-2015-1788][])
  * Exploitable out-of-bounds read in X509_cmp_time ([CVE-2015-1789][])
  * PKCS7 crash with missing EnvelopedContent ([CVE-2015-1790][])
  * CMS verify infinite loop with unknown hash function ([CVE-2015-1792][])
  * Race condition handling NewSessionTicket ([CVE-2015-1791][])

### Major changes between OpenSSL 1.0.2 and OpenSSL 1.0.2a [19 Mar 2015]

  * OpenSSL 1.0.2 ClientHello sigalgs DoS fix ([CVE-2015-0291][])
  * Multiblock corrupted pointer fix ([CVE-2015-0290][])
  * Segmentation fault in DTLSv1_listen fix ([CVE-2015-0207][])
  * Segmentation fault in ASN1_TYPE_cmp fix ([CVE-2015-0286][])
  * Segmentation fault for invalid PSS parameters fix ([CVE-2015-0208][])
  * ASN.1 structure reuse memory corruption fix ([CVE-2015-0287][])
  * PKCS7 NULL pointer dereferences fix ([CVE-2015-0289][])
  * DoS via reachable assert in SSLv2 servers fix ([CVE-2015-0293][])
  * Empty CKE with client auth and DHE fix ([CVE-2015-1787][])
  * Handshake with unseeded PRNG fix ([CVE-2015-0285][])
  * Use After Free following d2i_ECPrivatekey error fix ([CVE-2015-0209][])
  * X509_to_X509_REQ NULL pointer deref fix ([CVE-2015-0288][])
  * Removed the export ciphers from the DEFAULT ciphers

### Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.2 [22 Jan 2015]

  * Suite B support for TLS 1.2 and DTLS 1.2
  * Support for DTLS 1.2
  * TLS automatic EC curve selection.
  * API to set TLS supported signature algorithms and curves
  * SSL_CONF configuration API.
  * TLS Brainpool support.
  * ALPN support.
  * CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.

OpenSSL 1.0.1
-------------

### Major changes between OpenSSL 1.0.1t and OpenSSL 1.0.1u [22 Sep 2016]

  * OCSP Status Request extension unbounded memory growth ([CVE-2016-6304][])
  * SWEET32 Mitigation ([CVE-2016-2183][])
  * OOB write in MDC2_Update() ([CVE-2016-6303][])
  * Malformed SHA512 ticket DoS ([CVE-2016-6302][])
  * OOB write in BN_bn2dec() ([CVE-2016-2182][])
  * OOB read in TS_OBJ_print_bio() ([CVE-2016-2180][])
  * Pointer arithmetic undefined behaviour ([CVE-2016-2177][])
  * Constant time flag not preserved in DSA signing ([CVE-2016-2178][])
  * DTLS buffered message DoS ([CVE-2016-2179][])
  * DTLS replay protection DoS ([CVE-2016-2181][])
  * Certificate message OOB reads ([CVE-2016-6306][])

### Major changes between OpenSSL 1.0.1s and OpenSSL 1.0.1t [3 May 2016]

  * Prevent padding oracle in AES-NI CBC MAC check ([CVE-2016-2107][])
  * Fix EVP_EncodeUpdate overflow ([CVE-2016-2105][])
  * Fix EVP_EncryptUpdate overflow ([CVE-2016-2106][])
  * Prevent ASN.1 BIO excessive memory allocation ([CVE-2016-2109][])
  * EBCDIC overread ([CVE-2016-2176][])
  * Modify behavior of ALPN to invoke callback after SNI/servername
    callback, such that updates to the SSL_CTX affect ALPN.
  * Remove LOW from the DEFAULT cipher list.  This removes singles DES from
    the default.
  * Only remove the SSLv2 methods with the no-ssl2-method option.

### Major changes between OpenSSL 1.0.1r and OpenSSL 1.0.1s [1 Mar 2016]

  * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
  * Disable SSLv2 default build, default negotiation and weak ciphers
    ([CVE-2016-0800][])
  * Fix a double-free in DSA code ([CVE-2016-0705][])
  * Disable SRP fake user seed to address a server memory leak
    ([CVE-2016-0798][])
  * Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
    ([CVE-2016-0797][])
  * Fix memory issues in BIO_*printf functions ([CVE-2016-0799][])
  * Fix side channel attack on modular exponentiation ([CVE-2016-0702][])

### Major changes between OpenSSL 1.0.1q and OpenSSL 1.0.1r [28 Jan 2016]

  * Protection for DH small subgroup attacks
  * SSLv2 doesn't block disabled ciphers ([CVE-2015-3197][])

### Major changes between OpenSSL 1.0.1p and OpenSSL 1.0.1q [3 Dec 2015]

  * Certificate verify crash with missing PSS parameter ([CVE-2015-3194][])
  * X509_ATTRIBUTE memory leak ([CVE-2015-3195][])
  * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs
  * In DSA_generate_parameters_ex, if the provided seed is too short,
    return an error

### Major changes between OpenSSL 1.0.1o and OpenSSL 1.0.1p [9 Jul 2015]

  * Alternate chains certificate forgery ([CVE-2015-1793][])
  * Race condition handling PSK identify hint ([CVE-2015-3196][])

### Major changes between OpenSSL 1.0.1n and OpenSSL 1.0.1o [12 Jun 2015]

  * Fix HMAC ABI incompatibility

### Major changes between OpenSSL 1.0.1m and OpenSSL 1.0.1n [11 Jun 2015]

  * Malformed ECParameters causes infinite loop ([CVE-2015-1788][])
  * Exploitable out-of-bounds read in X509_cmp_time ([CVE-2015-1789][])
  * PKCS7 crash with missing EnvelopedContent ([CVE-2015-1790][])
  * CMS verify infinite loop with unknown hash function ([CVE-2015-1792][])
  * Race condition handling NewSessionTicket ([CVE-2015-1791][])

### Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.1m [19 Mar 2015]

  * Segmentation fault in ASN1_TYPE_cmp fix ([CVE-2015-0286][])
  * ASN.1 structure reuse memory corruption fix ([CVE-2015-0287][])
  * PKCS7 NULL pointer dereferences fix ([CVE-2015-0289][])
  * DoS via reachable assert in SSLv2 servers fix ([CVE-2015-0293][])
  * Use After Free following d2i_ECPrivatekey error fix ([CVE-2015-0209][])
  * X509_to_X509_REQ NULL pointer deref fix ([CVE-2015-0288][])
  * Removed the export ciphers from the DEFAULT ciphers

### Major changes between OpenSSL 1.0.1k and OpenSSL 1.0.1l [15 Jan 2015]

  * Build fixes for the Windows and OpenVMS platforms

### Major changes between OpenSSL 1.0.1j and OpenSSL 1.0.1k [8 Jan 2015]

  * Fix for [CVE-2014-3571][]
  * Fix for [CVE-2015-0206][]
  * Fix for [CVE-2014-3569][]
  * Fix for [CVE-2014-3572][]
  * Fix for [CVE-2015-0204][]
  * Fix for [CVE-2015-0205][]
  * Fix for [CVE-2014-8275][]
  * Fix for [CVE-2014-3570][]

### Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014]

  * Fix for [CVE-2014-3513][]
  * Fix for [CVE-2014-3567][]
  * Mitigation for [CVE-2014-3566][] (SSL protocol vulnerability)
  * Fix for [CVE-2014-3568][]

### Major changes between OpenSSL 1.0.1h and OpenSSL 1.0.1i [6 Aug 2014]

  * Fix for [CVE-2014-3512][]
  * Fix for [CVE-2014-3511][]
  * Fix for [CVE-2014-3510][]
  * Fix for [CVE-2014-3507][]
  * Fix for [CVE-2014-3506][]
  * Fix for [CVE-2014-3505][]
  * Fix for [CVE-2014-3509][]
  * Fix for [CVE-2014-5139][]
  * Fix for [CVE-2014-3508][]

### Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014]

  * Fix for [CVE-2014-0224][]
  * Fix for [CVE-2014-0221][]
  * Fix for [CVE-2014-0198][]
  * Fix for [CVE-2014-0195][]
  * Fix for [CVE-2014-3470][]
  * Fix for [CVE-2010-5298][]

### Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014]

  * Fix for [CVE-2014-0160][]
  * Add TLS padding extension workaround for broken servers.
  * Fix for [CVE-2014-0076][]

### Major changes between OpenSSL 1.0.1e and OpenSSL 1.0.1f [6 Jan 2014]

  * Don't include gmt_unix_time in TLS server and client random values
  * Fix for TLS record tampering bug [CVE-2013-4353][]
  * Fix for TLS version checking bug [CVE-2013-6449][]
  * Fix for DTLS retransmission bug [CVE-2013-6450][]

### Major changes between OpenSSL 1.0.1d and OpenSSL 1.0.1e [11 Feb 2013]

  * Corrected fix for [CVE-2013-0169][]

### Major changes between OpenSSL 1.0.1c and OpenSSL 1.0.1d [4 Feb 2013]

  * Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version.
  * Include the fips configuration module.
  * Fix OCSP bad key DoS attack [CVE-2013-0166][]
  * Fix for SSL/TLS/DTLS CBC plaintext recovery attack [CVE-2013-0169][]
  * Fix for TLS AESNI record handling flaw [CVE-2012-2686][]

### Major changes between OpenSSL 1.0.1b and OpenSSL 1.0.1c [10 May 2012]

  * Fix TLS/DTLS record length checking bug [CVE-2012-2333][]
  * Don't attempt to use non-FIPS composite ciphers in FIPS mode.

### Major changes between OpenSSL 1.0.1a and OpenSSL 1.0.1b [26 Apr 2012]

  * Fix compilation error on non-x86 platforms.
  * Make FIPS capable OpenSSL ciphers work in non-FIPS mode.
  * Fix SSL_OP_NO_TLSv1_1 clash with SSL_OP_ALL in OpenSSL 1.0.0

### Major changes between OpenSSL 1.0.1 and OpenSSL 1.0.1a [19 Apr 2012]

  * Fix for ASN1 overflow bug [CVE-2012-2110][]
  * Workarounds for some servers that hang on long client hellos.
  * Fix SEGV in AES code.

### Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012]

  * TLS/DTLS heartbeat support.
  * SCTP support.
  * RFC 5705 TLS key material exporter.
  * RFC 5764 DTLS-SRTP negotiation.
  * Next Protocol Negotiation.
  * PSS signatures in certificates, requests and CRLs.
  * Support for password based recipient info for CMS.
  * Support TLS v1.2 and TLS v1.1.
  * Preliminary FIPS capability for unvalidated 2.0 FIPS module.
  * SRP support.

OpenSSL 1.0.0
-------------

### Major changes between OpenSSL 1.0.0s and OpenSSL 1.0.0t [3 Dec 2015]

  * X509_ATTRIBUTE memory leak ([CVE-2015-3195][])
  * Race condition handling PSK identify hint ([CVE-2015-3196][])

### Major changes between OpenSSL 1.0.0r and OpenSSL 1.0.0s [11 Jun 2015]

  * Malformed ECParameters causes infinite loop ([CVE-2015-1788][])
  * Exploitable out-of-bounds read in X509_cmp_time ([CVE-2015-1789][])