port 1.0.2 changelog to master

commit: 8addede7ab0ab1b9b69ce96cb520319a87dee620 [log] [tgz]
author: Paul Kehrer <paul.l.kehrer@gmail.com> Sat Sep 26 22:57:35 2015 -0500
committer: Paul Kehrer <paul.l.kehrer@gmail.com> Sat Sep 26 22:57:35 2015 -0500
tree: 09ae3ee9f095526b512769a156a7e0f4d06433a7
parent: 3c1f5cb6478d85b224c30c3a8608e9f5c523a088 [diff]
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 705c09c..fdea8c3 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst

@@ -8,6 +8,17 @@
 
 * Added :class:`~cryptography.hazmat.primitives.kdf.x963kdf.X963KDF`.
 
+1.0.2 - 2015-09-27
+~~~~~~~~~~~~~~~~~~
+* **SECURITY ISSUE**: The OpenSSL backend prior to 1.0.2 made extensive use
+  of assertions to check response codes where our tests could not trigger a
+  failure.  However, when Python is run with ``-O`` these asserts are optimized
+  away.  If a user ran Python with this flag and got an invalid response code
+  this could result in undefined behavior or worse. Accordingly, all response
+  checks from the OpenSSL backend have been converted from ``assert``
+  to a true function call. Credit **Emilia Käsper (Google Security Team)**
+  for the report.
+
 1.0.1 - 2015-09-05
 ~~~~~~~~~~~~~~~~~~
commit	8addede7ab0ab1b9b69ce96cb520319a87dee620	[log] [tgz]
author	Paul Kehrer <paul.l.kehrer@gmail.com>	Sat Sep 26 22:57:35 2015 -0500
committer	Paul Kehrer <paul.l.kehrer@gmail.com>	Sat Sep 26 22:57:35 2015 -0500
tree	09ae3ee9f095526b512769a156a7e0f4d06433a7
parent	3c1f5cb6478d85b224c30c3a8608e9f5c523a088 [diff]