GnuTLS: Fix client detection of server reject of client cert under TLS1.3

[exim.git] / doc / doc-txt / ChangeLog

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index d182115e4ea07548168dde02e58a5dff0b56a698..7adc1d6e0b831afc37e9cee733c254ee324a223b 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -4,6 +4,11 @@ This document describes *changes* to previous versions, that might
 affect Exim's operation, with an unchanged configuration file.  For new
 options, and new features, see the NewStuff file next to this ChangeLog.
 
 affect Exim's operation, with an unchanged configuration file.  For new
 options, and new features, see the NewStuff file next to this ChangeLog.
 

+Exim version 4.92.2
+-------------------
+
+HS/01 Handle trailing backslash gracefully. (CVE-2019-15846)
+

 
 Exim version 4.92.1
 -------------------
 
 Exim version 4.92.1
 -------------------


@@ -11,6 +16,20 @@ Exim version 4.92.1
 JH/31 Avoid re-expansion in ${sort } expansion. (CVE-2019-13917, OVE-20190718-0006)
 
 
 JH/31 Avoid re-expansion in ${sort } expansion. (CVE-2019-13917, OVE-20190718-0006)
 
 

+Since version 4.92
+------------------
+
+JH/06 Fix buggy handling of autoreply bounce_return_size_limit, and a possible
+      buffer overrun for (non-chunking) other transports.
+
+JH/07 GnuTLS: Our use of late (post-handshake) certificate verification, under
+      TLS1.3, means that a server rejecting a client certificate is not visible
+      to the client until the first read of encrypted data (typically the
+      response to EHLO).  Add detection for that case and treat it as a failed
+      TLS connection attempt, so that the normal retry-in-clear can work (if
+      suitably configured).
+
+

 Exim version 4.92
 -----------------
 
 Exim version 4.92
 -----------------