root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Add CHANGES.md and NEWS.md entries for CVE-2024-9143 

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/25734)

(cherry picked from commit 233034bc5a)
This commit is contained in:
Tomas Mraz 2024-10-18 13:51:37 +02:00 committed by Matt Caswell
parent 50d79e0916
commit 8d5ef8d66c
2 changed files with 25 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
CHANGES.md
View File

@ -30,7 +30,21 @@ breaking changes, and mappings for the large list of deprecated functions.
### Changes between 3.0.15 and 3.0.16 [xx XXX xxxx]
* none yet
* Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
curve parameters.
Use of the low-level GF(2^m) elliptic curve APIs with untrusted
explicit values for the field polynomial can lead to out-of-bounds memory
reads or writes.
Applications working with "exotic" explicit binary (GF(2^m)) curve
parameters, that make it possible to represent invalid field polynomials
with a zero constant term, via the above or similar APIs, may terminate
abruptly as a result of reading or writing outside of array bounds. Remote
code execution cannot easily be ruled out.
([CVE-2024-9143])
*Viktor Dukhovni*
### Changes between 3.0.14 and 3.0.15 [3 Sep 2024]
@ -19926,6 +19940,7 @@ ndif
<!-- Links -->
[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741

10
NEWS.md
View File

@ -20,7 +20,14 @@ OpenSSL 3.0
### Major changes between OpenSSL 3.0.15 and OpenSSL 3.0.16 [under development]
* none
OpenSSL 3.3.3 is a security patch release. The most severe CVE fixed in this
release is Low.
This release incorporates the following bug fixes and mitigations:
* Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
curve parameters.
([CVE-2024-9143])
### Major changes between OpenSSL 3.0.14 and OpenSSL 3.0.15 [3 Sep 2024]
@ -1499,6 +1506,7 @@ OpenSSL 0.9.x
<!-- Links -->
[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741