root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Add CVE-2024-5535 to CHANGES and NEWS 

Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
(cherry picked from commit 0c3d66a46e)
This commit is contained in:
Tomas Mraz 2024-09-03 12:24:58 +02:00
parent c3f90ac6e2
commit 2d25b80dad
2 changed files with 21 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
CHANGES.md
View File

@ -38,10 +38,20 @@ breaking changes, and mappings for the large list of deprecated functions.
an X.509 certificate. This may result in an exception that terminates the
application program.
[(CVE-2024-6119)]
([CVE-2024-6119])
*Viktor Dukhovni*
* Fixed possible buffer overread in SSL_select_next_proto().
Calling the OpenSSL API function SSL_select_next_proto with an empty
supported client protocols buffer may cause a crash or memory contents
to be sent to the peer.
([CVE-2024-5535])
*Matt Caswell*
### Changes between 3.0.13 and 3.0.14 [4 Jun 2024]
* Fixed potential use after free after SSL_free_buffers() is called.
@ -19913,6 +19923,7 @@ ndif
<!-- Links -->
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511

11
NEWS.md
View File

@ -20,10 +20,16 @@ OpenSSL 3.0
### Major changes between OpenSSL 3.0.14 and OpenSSL 3.0.15 [under development]
OpenSSL 3.3.2 is a security patch release. The most severe CVE fixed in this
OpenSSL 3.0.15 is a security patch release. The most severe CVE fixed in this
release is Moderate.
* Fixed possible denial of service in X.509 name checks [(CVE-2024-6119)].
This release incorporates the following bug fixes and mitigations:
* Fixed possible denial of service in X.509 name checks
([CVE-2024-6119])
* Fixed possible buffer overread in SSL_select_next_proto()
([CVE-2024-5535])
### Major changes between OpenSSL 3.0.13 and OpenSSL 3.0.14 [4 Jun 2024]
@ -1490,6 +1496,7 @@ OpenSSL 0.9.x
<!-- Links -->
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511