Add release notes for OTP-18.0+

The version 18.3.4.3 is missing and seems to have had no
announcement or README, I do not know why.

1 files changed, 144 insertions, 0 deletions

diff --git a/release-notes/OTP-20.1.7.README.txt b/release-notes/OTP-20.1.7.README.txt
new file mode 100644
index 0000000..abbb67a
--- /dev/null
+++ b/release-notes/OTP-20.1.7.README.txt
@@ -0,0 +1,144 @@
+Patch Package:           OTP 20.1.7
+Git Tag:                 OTP-20.1.7
+Date:                    2017-11-22
+Trouble Report Id:       OTP-14632, OTP-14653, OTP-14655, OTP-14748,
+                         OTP-14766
+Seq num:                
+System:                  OTP
+Release:                 20
+Application:             public_key-1.5.1, ssl-8.2.2
+Predecessor:             OTP 20.1.6
+
+ Check out the git tag OTP-20.1.7, and build a full OTP system
+ including documentation. Apply one or more applications from this
+ build as patches to your installation using the 'otp_patch_apply'
+ tool. For information on install requirements, see descriptions for
+ each application version below.
+
+ ---------------------------------------------------------------------
+ --- public_key-1.5.1 ------------------------------------------------
+ ---------------------------------------------------------------------
+
+ The public_key-1.5.1 application can be applied independently of
+ other applications on a full OTP 20 installation.
+
+ --- Improvements and New Features ---
+
+  OTP-14653    Application(s): public_key
+
+               Hostname verification: Add handling of the general name
+               iPAddress in certificate's subject alternative name
+               extension (subjAltName).
+
+
+  OTP-14766    Application(s): public_key
+
+               Correct key handling in pkix_test_data/1 and use a
+               generic example mail address instead of an existing
+               one.
+
+
+ Full runtime dependencies of public_key-1.5.1: asn1-3.0, crypto-3.8,
+ erts-6.0, kernel-3.0, stdlib-2.0
+
+
+ ---------------------------------------------------------------------
+ --- ssl-8.2.2 -------------------------------------------------------
+ ---------------------------------------------------------------------
+
+ Note! The ssl-8.2.2 application can *not* be applied independently of
+       other applications on an arbitrary OTP 20 installation.
+
+       On a full OTP 20 installation, also the following runtime
+       dependency has to be satisfied:
+       -- public_key-1.5 (first satisfied in OTP 20.1)
+
+
+ --- Fixed Bugs and Malfunctions ---
+
+  OTP-14632    Application(s): ssl
+
+               TLS sessions must be registered with SNI if provided,
+               so that sessions where client hostname verification
+               would fail can not connect reusing a session created
+               when the server name verification succeeded.
+
+               Thanks to Graham Christensen for reporting this.
+
+
+  OTP-14748    Application(s): ssl
+
+               An erlang TLS server configured with cipher suites
+               using rsa key exchange, may be vulnerable to an
+               Adaptive Chosen Ciphertext attack (AKA Bleichenbacher
+               attack) against RSA, which when exploited, may result
+               in plaintext recovery of encrypted messages and/or a
+               Man-in-the-middle (MiTM) attack, despite the attacker
+               not having gained access to the server’s private key
+               itself. CVE-2017-1000385
+
+               Exploiting this vulnerability to perform plaintext
+               recovery of encrypted messages will, in most practical
+               cases, allow an attacker to read the plaintext only
+               after the session has completed. Only TLS sessions
+               established using RSA key exchange are vulnerable to
+               this attack.
+
+               Exploiting this vulnerability to conduct a MiTM attack
+               requires the attacker to complete the initial attack,
+               which may require thousands of server requests, during
+               the handshake phase of the targeted session within the
+               window of the configured handshake timeout. This attack
+               may be conducted against any TLS session using RSA
+               signatures, but only if cipher suites using RSA key
+               exchange are also enabled on the server. The limited
+               window of opportunity, limitations in bandwidth, and
+               latency make this attack significantly more difficult
+               to execute.
+
+               RSA key exchange is enabled by default although least
+               prioritized if server order is honored. For such a
+               cipher suite to be chosen it must also be supported by
+               the client and probably the only shared cipher suite.
+
+               Captured TLS sessions encrypted with ephemeral cipher
+               suites (DHE or ECDHE) are not at risk for subsequent
+               decryption due to this vulnerability.
+
+               As a workaround if default cipher suite configuration
+               was used you can configure the server to not use
+               vulnerable suites with the ciphers option like this:
+
+               {ciphers, [Suite || Suite <- ssl:cipher_suites(),
+               element(1,Suite) =/= rsa]}
+
+               that is your code will look somethingh like this:
+
+               ssl:listen(Port, [{ciphers, [Suite || Suite <-
+               ssl:cipher_suites(), element(1,S) =/= rsa]} |
+               Options]).
+
+               Thanks to Hanno Böck, Juraj Somorovsky and Craig Young
+               for reporting this vulnerability.
+
+
+ --- Improvements and New Features ---
+
+  OTP-14655    Application(s): ssl
+
+               If no SNI is available and the hostname is an
+               IP-address also check for IP-address match. This check
+               is not as good as a DNS hostname check and certificates
+               using IP-address are not recommended.
+
+               Thanks to Graham Christensen for reporting this.
+
+
+ Full runtime dependencies of ssl-8.2.2: crypto-3.3, erts-7.0,
+ inets-5.10.7, kernel-3.0, public_key-1.5, stdlib-3.2
+
+
+ ---------------------------------------------------------------------
+ ---------------------------------------------------------------------
+ ---------------------------------------------------------------------
+