Also, I apologize if I'm missing something, but the release notes state: "Fix for TLS record tampering bug CVE-2013-4353." I can't find any mention of that CVE anywhere. The linked OpenSSL vulnerabilities list doesn't include it and neither does NVD (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353).
Patrick Watson, CISSP Software Engineer Data Security & Electronic Payment Systems NCR Retail -----Original Message----- From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Monday, January 06, 2014 10:41 AM To: openssl-dev@openssl.org Subject: Re: OpenSSL version 1.0.1f released On Mon, Jan 06, 2014, Daniel Kahn Gillmor wrote: > On 01/06/2014 09:49 AM, OpenSSL wrote: > > > OpenSSL version 1.0.1f released > > =============================== > [...] > > The OpenSSL project team is pleased to announce the release of > > version 1.0.1f of our open source toolkit for SSL/TLS. For details > > of changes and known issues see the release notes at: > > > > http://www.openssl.org/news/openssl-1.0.1-notes.html > > Looking at the source on github, i see that Nick Mathewson's > no_gmt_unix_time branch was also merged between 1.0.1e and 1.0.1f, but > it is not mentioned in the release notes. > Updated now. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org