Also, the release notes list: * Fix for TLS record tampering bug CVE-2013-4353
But the list of OpenSSL vulnerabilities linked from there does not mention this anywhere... .................................... Erik Tkal et...@me.com uʍop ǝpısdn ǝɹɐ noʎ sıɥʇ pɐǝɹ uɐɔ noʎ ɟı On 06 Jan 2014, at 10:27 AM, Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote: > On 01/06/2014 09:49 AM, OpenSSL wrote: > >> OpenSSL version 1.0.1f released >> =============================== > [...] >> The OpenSSL project team is pleased to announce the release of >> version 1.0.1f of our open source toolkit for SSL/TLS. For details >> of changes and known issues see the release notes at: >> >> http://www.openssl.org/news/openssl-1.0.1-notes.html > > Looking at the source on github, i see that Nick Mathewson's > no_gmt_unix_time branch was also merged between 1.0.1e and 1.0.1f, but > it is not mentioned in the release notes. >