root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Add CVE-2024-5535 to CHANGES and NEWS 

Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
(cherry picked from commit 0c3d66a46e)
This commit is contained in:
Tomas Mraz 2024-09-03 12:24:58 +02:00
parent c3f90ac6e2
commit 2d25b80dad
2 changed files with 21 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
CHANGES.md
View File

@ -38,10 +38,20 @@ breaking changes, and mappings for the large list of deprecated functions.
an X.509 certificate. This may result in an exception that terminates the an X.509 certificate. This may result in an exception that terminates the
application program. application program.
[(CVE-2024-6119)] ([CVE-2024-6119])
*Viktor Dukhovni* *Viktor Dukhovni*
* Fixed possible buffer overread in SSL_select_next_proto().
Calling the OpenSSL API function SSL_select_next_proto with an empty
supported client protocols buffer may cause a crash or memory contents
to be sent to the peer.
([CVE-2024-5535])
*Matt Caswell*
### Changes between 3.0.13 and 3.0.14 [4 Jun 2024] ### Changes between 3.0.13 and 3.0.14 [4 Jun 2024]
* Fixed potential use after free after SSL_free_buffers() is called. * Fixed potential use after free after SSL_free_buffers() is called.
@ -19913,6 +19923,7 @@ ndif
<!-- Links --> <!-- Links -->
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511

11
NEWS.md
View File

@ -20,10 +20,16 @@ OpenSSL 3.0
### Major changes between OpenSSL 3.0.14 and OpenSSL 3.0.15 [under development] ### Major changes between OpenSSL 3.0.14 and OpenSSL 3.0.15 [under development]
OpenSSL 3.3.2 is a security patch release. The most severe CVE fixed in this OpenSSL 3.0.15 is a security patch release. The most severe CVE fixed in this
release is Moderate. release is Moderate.
* Fixed possible denial of service in X.509 name checks [(CVE-2024-6119)]. This release incorporates the following bug fixes and mitigations:
* Fixed possible denial of service in X.509 name checks
([CVE-2024-6119])
* Fixed possible buffer overread in SSL_select_next_proto()
([CVE-2024-5535])
### Major changes between OpenSSL 3.0.13 and OpenSSL 3.0.14 [4 Jun 2024] ### Major changes between OpenSSL 3.0.13 and OpenSSL 3.0.14 [4 Jun 2024]
@ -1490,6 +1496,7 @@ OpenSSL 0.9.x
<!-- Links --> <!-- Links -->
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511