port 1.0.2 changelog to master

author: Paul Kehrer <paul.l.kehrer@gmail.com> 2015-09-26 22:57:35 -0500
committer: Paul Kehrer <paul.l.kehrer@gmail.com> 2015-09-26 22:57:35 -0500
commit: 8addede7ab0ab1b9b69ce96cb520319a87dee620 (patch)
tree: 09ae3ee9f095526b512769a156a7e0f4d06433a7 /CHANGELOG.rst
parent: 3c1f5cb6478d85b224c30c3a8608e9f5c523a088 (diff)
download: cryptography-8addede7ab0ab1b9b69ce96cb520319a87dee620.tar.gz
cryptography-8addede7ab0ab1b9b69ce96cb520319a87dee620.tar.bz2
cryptography-8addede7ab0ab1b9b69ce96cb520319a87dee620.zip
1 files changed, 11 insertions, 0 deletions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 705c09cd..fdea8c35 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -8,6 +8,17 @@ Changelog
 
 * Added :class:`~cryptography.hazmat.primitives.kdf.x963kdf.X963KDF`.
 
+1.0.2 - 2015-09-27
+~~~~~~~~~~~~~~~~~~
+* **SECURITY ISSUE**: The OpenSSL backend prior to 1.0.2 made extensive use
+  of assertions to check response codes where our tests could not trigger a
+  failure.  However, when Python is run with ``-O`` these asserts are optimized
+  away.  If a user ran Python with this flag and got an invalid response code
+  this could result in undefined behavior or worse. Accordingly, all response
+  checks from the OpenSSL backend have been converted from ``assert``
+  to a true function call. Credit **Emilia Käsper (Google Security Team)**
+  for the report.
+
 1.0.1 - 2015-09-05
 ~~~~~~~~~~~~~~~~~~
author	Paul Kehrer <paul.l.kehrer@gmail.com>	2015-09-26 22:57:35 -0500
committer	Paul Kehrer <paul.l.kehrer@gmail.com>	2015-09-26 22:57:35 -0500
commit	8addede7ab0ab1b9b69ce96cb520319a87dee620 (patch)
tree	09ae3ee9f095526b512769a156a7e0f4d06433a7 /CHANGELOG.rst
parent	3c1f5cb6478d85b224c30c3a8608e9f5c523a088 (diff)
download	cryptography-8addede7ab0ab1b9b69ce96cb520319a87dee620.tar.gz cryptography-8addede7ab0ab1b9b69ce96cb520319a87dee620.tar.bz2 cryptography-8addede7ab0ab1b9b69ce96cb520319a87dee620.zip